Vulnerability Description
The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Link-Preview-Js Project | Link-Preview-Js | < 2.1.16 |
Related Weaknesses (CWE)
References
- https://github.com/ospfranco/link-preview-js/issues/115ExploitIssue TrackingThird Party Advisory
- https://github.com/ospfranco/link-preview-js/pull/117PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520ExploitThird Party Advisory
- https://github.com/ospfranco/link-preview-js/issues/115ExploitIssue TrackingThird Party Advisory
- https://github.com/ospfranco/link-preview-js/pull/117PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520ExploitThird Party Advisory
FAQ
What is CVE-2022-25876?
CVE-2022-25876 is a vulnerability with a CVSS score of 6.2 (MEDIUM). The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due...
How severe is CVE-2022-25876?
CVE-2022-25876 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25876?
Check the references section above for vendor advisories and patch information. Affected products include: Link-Preview-Js Project Link-Preview-Js.