CVE-2022-25876 — Server-Side Request Forgery in link-preview-js

Description

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

How to fix CVE-2022-25876

To remediate CVE-2022-25876, upgrade the affected package to a fixed version below.

—upgrade to 2.1.17 or later

Is CVE-2022-25876 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25876
PATCHgithub.com/ospfranco/link-preview-js
WEBgithub.com/ospfranco/link-preview-js/issues/115
WEBgithub.com/ospfranco/link-preview-js/pull/117
WEB