Skip to main content

ip-address npm package CVE-2026-42338

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-05 https://github.com/beaugunderson/ip-address GHSA-v2v4-37r5-5v8g
5.3
CVSS 4.0 · Vendor: https://github.com/beaugunderson/ip-address
Share

Severity by source

Vendor (https://github.com/beaugunderson/ip-address) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/beaugunderson/ip-address).

CVSS VectorVendor: https://github.com/beaugunderson/ip-address

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 20:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 22:31 vuln.today
Analysis Generated
May 05, 2026 - 22:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on ip-address (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.1.1.

DescriptionCVE.org

Summary

Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. A related issue in v6.helpers.spanAll() produced malformed markup but was not exploitable; it is hardened in the same release for consistency.

Details

Four related issues were identified and fixed together:

  1. Address6.group(): zone ID injection. The Address6 constructor stores the raw input (including any IPv6 zone ID) in this.address before zone stripping. group() then passed this.address to helpers.simpleGroup(), which wrapped each :-separated segment in a <span> element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.
  2. Address6.link({ prefix, className }): attribute-value injection. link() concatenated user-supplied prefix and className into the href="…" and class="…" attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g. onmouseover) and achieve XSS.
  3. Address6 constructor: leading-zero IPv4 error path. The leading-zero branch in parse4in6() built AddressError.parseMessage by concatenating the raw address through String.replace(). Because parse4in6() runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error's HTML unescaped. Consumers who render parseMessage as HTML (its documented purpose - it already contains <span class="parse-error"> markup) could be XSS'd by a crafted input such as <img src=x onerror=alert(1)>:10.0.01.1.
  4. v6.helpers.spanAll(): attribute-value injection (defense in depth). spanAll() embedded each character of its input into a class="digit value-${n} …" attribute without escaping. Because split('') limits n to a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.

Affected Versions

All versions up to and including 10.1.0.

Patched Version

10.1.1.

Impact

Real-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of group(), link(), or spanAll(): these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (isValid, correctForm, isInSubnet, bigInt, etc.) are not affected.

Consumers who do render the output of group(), link(), spanAll(), or AddressError.parseMessage as HTML against untrusted input should upgrade.

PoC

javascript
const { Address6 } = require('ip-address');
const addr = new Address6('fe80::1%<img src=x onerror=alert(1)>');
document.body.innerHTML = addr.group();  // fires the onerror handler in 10.1.0

Workarounds

If users cannot upgrade immediately:

  • Do not pass untrusted input to the Address6 constructor, or
  • Never render the output of group(), link(), or spanAll(), nor the parseMessage field of any thrown AddressError, as HTML; treat these values as text only, or run them through DOMPurify before inserting into the DOM (DOMPurify's default configuration preserves the library's intended <span> wrapping while stripping any injected event handlers), or
  • Validate input with Address6.isValid() and reject anything that contains a zone identifier (a % character) or characters outside [0-9a-fA-F:/] before passing it to the constructor.

Lack of separate CVEs

Given the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it's relevant or useful to create a separate CVE for each library method.

Credit

ip-address thanks @scovetta for reporting this issue.

AnalysisAI

Cross-site scripting (XSS) vulnerabilities in ip-address library versions up to 10.1.0 allow attackers to inject arbitrary JavaScript code when untrusted input is passed to Address6.group(), Address6.link(), Address6 constructor (via AddressError.parseMessage), or v6.helpers.spanAll() methods and their output is rendered as HTML. The vulnerability affects four separate code paths that fail to HTML-escape user-controlled content before embedding it in returned HTML strings or error messages. Real-world exposure is extremely limited because security research found zero consumers of these HTML-emitting methods across 425 dependent npm packages and public code repositories; applications using only parsing and comparison APIs are unaffected.

Technical ContextAI

The ip-address npm package provides IPv6 and IPv4 address parsing and manipulation in JavaScript. The vulnerability stems from unsafe string concatenation in four methods that return HTML-formatted output. Address6.group() uses helpers.simpleGroup() to wrap address segments in <span> elements without escaping zone IDs (IPv6 suffix after %). Address6.link() concatenates user-supplied prefix and className parameters directly into href and class attributes without escaping, enabling attribute injection with event handlers. The Address6 constructor's parse4in6() method concatenates raw input into AddressError.parseMessage HTML via String.replace() before validating characters. v6.helpers.spanAll() injects input characters into class attribute values without escaping. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation). CPE: pkg:npm/ip-address affects versions through 10.1.0.

RemediationAI

Upgrade ip-address to version 10.1.1 or later immediately. This release includes HTML-escaping in Address6.group(), Address6.link(), Address6 constructor error path, and v6.helpers.spanAll(). If immediate upgrade is not possible, implement one or more of these compensating controls: (1) Validate all input with Address6.isValid() and reject any input containing zone identifiers (% character) or characters outside [0-9a-fA-F:/] before passing to the constructor; (2) Never render output of group(), link(), spanAll(), or AddressError.parseMessage as HTML - treat as text only or use textContent/innerText instead of innerHTML; (3) If HTML rendering is required, sanitize output through DOMPurify (default configuration preserves intended <span> wrapping while stripping injected event handlers) before inserting into DOM; (4) Do not accept untrusted user input in the prefix or className parameters of link() method. See https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g for patch details.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 12 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Affected
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Affected

Share

CVE-2026-42338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy