CVE-2021-27191
denial of service (DoS) vulnerability in get-ip-range (npm)
What is CVE-2021-27191 About?
The `get-ip-range` package before 4.0.0 for Node.js is vulnerable to a denial of service (DoS) attack. An attacker can exploit this by providing a large, untrusted IP range that causes extensive resource exhaustion. Exploitation is straightforward, requiring only a malicious IP range as input.
Affected Software
Technical Details
The get-ip-range package, designed to expand IP ranges, suffers from a denial of service vulnerability when processing excessively large or complex IP ranges, such as 128.0.0.0/1. The underlying logic in the vulnerable versions does not adequately handle the computational load associated with expanding such large ranges. When an attacker provides a crafted, expansive range, the package attempts to generate all possible IP addresses within that range, consuming a disproportionate amount of system memory and CPU resources. This leads to resource exhaustion and can effectively render the application unresponsive, causing a denial of service for legitimate users.
What is the Impact of CVE-2021-27191?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion and service unavailability.
What is the Exploitability of CVE-2021-27191?
Exploitation requires an attacker to be able to provide untrusted input to an application that directly or indirectly uses the vulnerable get-ip-range package. This is typically a remote attack vector if the application accepts IP range input from network requests. No authentication or specific user privileges are required; the attack merely relies on the ability to submit the malicious input. The complexity of crafting the oversized IP range is low. Applications that process user-defined IP ranges without proper validation or size limits are at high risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27191?
About the Fix from Resolved Security
The patch limits the number of IPs that can be generated in a range to a default maximum (10,000), configurable via a MAX_RANGE environment variable, and throws an error if the requested range exceeds this limit. This prevents attackers from triggering resource exhaustion and denial of service by requesting very large IP ranges, fixing the root cause of CVE-2021-27191.
Available Upgrade Options
- get-ip-range
- <4.0.0 → Upgrade to 4.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-27191
- https://github.com/JoeScho/get-ip-range/commit/98ca22b815c77273cbab259811ab0976118e13b6
- https://www.npmjs.com/package/get-ip-range
- https://security.netapp.com/advisory/ntap-20210319-0002
- https://osv.dev/vulnerability/GHSA-6q4w-3wp4-q5wf
- https://advisory.checkmarx.net/advisory/CX-2021-4304
- https://www.npmjs.com/package/get-ip-range
- https://github.com/JoeScho/get-ip-range/commit/98ca22b815c77273cbab259811ab0976118e13b6
- https://security.netapp.com/advisory/ntap-20210319-0002/
- https://advisory.checkmarx.net/advisory/CX-2021-4304
What are Similar Vulnerabilities to CVE-2021-27191?
Similar Vulnerabilities: CVE-2021-3749 , CVE-2021-32723 , CVE-2022-24795 , CVE-2020-8199 , CVE-2020-5258
