Skip to main content

link-preview-js CVE-2026-43897

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-05 https://github.com/OP-Engineering/link-preview-js GHSA-4gp8-rjrq-ch6q
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 11, 2026 - 22:37 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 22:37 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 21:01 vuln.today
Analysis Generated
May 05, 2026 - 21:01 vuln.today

DescriptionGitHub Advisory

Impact

The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.

Patches

Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. The regex used for validation has been tightened for IPv6 addresses.

The DNS resolving, however, is more difficult. The regex has been tightened to prohibit .internal, .local, .nip.io and .sslip.io addresses, however there can be other services not on the list, therefore it is imperative that users use the resolveDNSHost option to do DNS resolution before fetching content. To that regard a (scary) error message has been added when the option is not set.

Workarounds

Users can do their own validation before fetching content.

Reported by https://github.com/Andrew-most-likely

AnalysisAI

Server-Side Request Forgery (SSRF) in link-preview-js npm package allows attackers to craft URLs that bypass validation to access internal network resources via IPv6 loopback addresses (::1, ::ffff:127.0.0.1) and DNS rebinding attacks using wildcard services (.internal, .local, .nip.io, .sslip.io domains). Successful exploitation enables reading internal metadata endpoints, accessing private network services, and exfiltrating sensitive data from cloud instance metadata or internal APIs. Vendor-released patch in version 4.0.1 tightens regex validation but requires users to implement DNS resolution via resolveDNSHost option for complete protection. No public exploit identified at time of analysis, though the attack techniques are well-documented SSRF methods.

Technical ContextAI

link-preview-js is an npm package (pkg:npm/link-preview-js) that fetches and parses link metadata for generating preview cards in web applications. The vulnerability stems from insufficient URL validation before making HTTP requests (CWE-918: Server-Side Request Forgery). The original regex-based validation failed to detect IPv6 loopback addresses including compressed notation (::1), IPv4-mapped IPv6 loopback (::ffff:127.0.0.1), Unique Local Addresses (fc00::/7), and link-local addresses (fe80::/10). Additionally, DNS rebinding attacks were possible where attacker-controlled domains could resolve to internal IP ranges, bypassing the validation layer entirely. The library would then fetch content from these internal addresses using the application's credentials and network position. The patch (commit 4396d48) adds comprehensive IPv6 pattern matching to REGEX_LOOPBACK and blacklists known DNS rebinding service TLDs, but the vendor explicitly states complete mitigation requires application-level DNS resolution validation before URL fetching.

RemediationAI

Upgrade to link-preview-js version 4.0.1 or later as released at https://github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1 and detailed in pull request https://github.com/OP-Engineering/link-preview-js/pull/179. CRITICAL ADDITIONAL STEP REQUIRED: The patch alone is insufficient. After upgrading, developers MUST implement DNS resolution validation by enabling the resolveDNSHost configuration option, which performs DNS lookups before fetching content and validates the resolved IP address is not internal. Without this configuration change, applications remain vulnerable to DNS rebinding attacks against non-blacklisted domains. For applications unable to immediately upgrade, implement custom URL validation that rejects IPv6 addresses matching ::1, ::ffff:127.x.x.x, fc00::/7, and fe80::/10 ranges, blocks hostnames ending in .internal, .local, .nip.io, and .sslip.io, and performs DNS resolution to verify the target IP is not in private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16). Note that custom validation workarounds require maintaining regex patterns as new rebinding services emerge, while the resolveDNSHost option provides runtime protection. If implementing workarounds, application performance may degrade due to additional DNS lookups in the request path, requiring DNS caching strategies.

Share

CVE-2026-43897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy