GHSA-mf74-qq7w-6j7v: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the remark-images-download npm package (GHSA-mf74-qq7w-6j7v), affecting versions prior to 3.1.0. The vulnerability was published on August 31, 2021, and allows attackers to make requests to neighboring servers on local IP ranges due to loose URL filtering within the module (GitHub Advisory).

The vulnerability stems from insufficient URL filtering in the remark-images-download module. When processing markdown images, the module would accept and process URLs pointing to local network addresses, including both IPv4 and IPv6 ranges. This could allow attackers to access private resources by simply including image references to local network addresses in markdown content (GitHub Advisory).

The vulnerability is classified as moderate severity and enables unauthorized access to unexposed documents on local networks. In a practical scenario, if a server running remark-images-download (e.g., on 192.168.1.3) processes markdown content containing references to private network resources (e.g., http://192.168.1.2/private-img.png), it would download and include these potentially sensitive resources in the resulting document (GitHub Advisory).

The vulnerability has been patched in version 3.1.0 of the package. The fix prevents image downloads from local IP ranges for both IPv4 and IPv6, and also blocks resolved local IPs from malicious domain names. Users are strongly advised to upgrade to version 3.1.0 as no other workarounds are available (GitHub Advisory).