CVE-2021-29418: 
JavaScript vulnerability analysis and mitigation

The netmask package before version 2.0.1 for Node.js contains a vulnerability (CVE-2021-29418) related to improper handling of unexpected characters in IP address strings. This vulnerability specifically occurs when parsing IP addresses containing octal digits with invalid characters, such as the digit '9'. The issue exists due to an incomplete fix for a previous vulnerability (CVE-2021-28918) (Vuln DB).

The vulnerability stems from the way netmask parses IP addresses with octal integers containing invalid characters. When an IP address string contains a leading zero, it should be interpreted as an octal number, but netmask incorrectly processes these values when they contain invalid octal digits. The vulnerability has been assigned a CVSS score of 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NetApp Advisory).

The vulnerability could allow attackers to bypass access control mechanisms that are based on IP addresses. When successfully exploited, this vulnerability could lead to addition or modification of data. For example, an attacker could potentially force a server to connect to 127.0.0.1 by passing in 0177.0.0.01, as 177 is the octal representation for 127 in decimal (Bleeping Computer).

The vulnerability has been fixed in netmask version 2.0.1. Users are strongly recommended to update to this version or later to address the security issue. The fix involves a complete rewrite of the byte parsing functionality in JavaScript without depending on parseInt (GitHub Commit).

The vulnerability has garnered significant attention due to netmask's widespread use, with the package receiving over 3 million weekly downloads and being utilized by approximately 278,000 GitHub repositories. Various security researchers, including Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson, have contributed to the discovery and disclosure of this vulnerability (Bleeping Computer).