Link Preview JS IPv6 Loopback and DNS Resolution Vulnerability Allowing Internal Data Leaks

A vulnerability in Link Preview JS prior to version 4.0.1 allowed for IPv6 loopback attacks and internal data leaks via DNS resolution of addresses into internal IPs. The library did not properly validate IPv6 loopback addresses, which could be exploited to access internal data. Additionally, the lack of proper DNS resolution could lead to similar leaks by resolving external addresses into internal ones.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal data through loopback attacks or improper DNS resolution.

Reproduction

The vulnerability can be reproduced by using Link Preview JS version 4.0.0 or earlier without the 'resolveDNSHost' option enabled. This allows DNS addresses to be resolved into internal IPs, potentially leaking internal data. The vulnerability also involves IPv6 loopback addresses, which can be tested by resolving such an address through the library's link preview functions.

Remediation

Users should update to Link Preview JS version 4.0.1 or later and ensure that the 'resolveDNSHost' option is enabled to properly validate and resolve DNS addresses before fetching content. The latest version can be downloaded from the GitHub Releases page.