ip-address Library Cross-Site Scripting Vulnerability in Address6 HTML-Emitting Methods

A cross-site scripting vulnerability has been identified in the ip-address library for JavaScript, affecting versions through 10.1.0. The issue arises in the Address6 class, specifically in the group() and link() methods, which fail to properly HTML-escape attacker-controlled content before embedding it in the HTML strings they generate. Additionally, the AddressError.parseMessage, which is emitted by the Address6 constructor for invalid input, can also contain unescaped attacker-controlled content in certain cases. This vulnerability can be exploited if an application passes untrusted input to Address6 and renders the output of these methods or the parseMessage of any thrown AddressError as HTML, such as via innerHTML.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an Address6 instance with untrusted input that includes HTML markup, such as an image tag with an event handler. Then, use the group() method to generate an HTML string. The injected script will execute when the HTML is rendered in a browser.

Remediation

Users should upgrade to ip-address version 10.1.1 or later. If an immediate upgrade is not possible, untrusted input should be validated and sanitized before being passed to the Address6 constructor or rendered as HTML.