CVE-2026-42338
Cross-site Scripting vulnerability in ip-address (npm)

Cross-site Scripting No known exploit

What is CVE-2026-42338 About?

This vulnerability involves Cross-site Scripting (XSS) due to improper HTML escaping in specific methods of the `Address6` library. Attackers can inject malicious scripts into web pages if an application renders untrusted input from these methods as HTML, potentially leading to client-side attacks. Exploitation is relatively easy given user-controlled input and vulnerable rendering.

Affected Software

ip-address <10.1.1

Technical Details

The Address6 library is vulnerable to XSS in Address6.group(), Address6.link(), and through AddressError.parseMessage. In Address6.group(), the this.address (containing raw IPv6 zone ID) is passed to helpers.simpleGroup() which wraps segments in <span> tags without HTML-escaping, allowing HTML injection. Address6.link() is vulnerable to attribute-value injection, where user-supplied prefix and className are concatenated into HTML attributes without escaping, enabling injection of event handlers. The Address6 constructor's error path for leading-zero IPv4, specifically parse4in6(), builds AddressError.parseMessage by concatenating raw, unescaped address characters, which can contain injected HTML when rendered. A related issue in v6.helpers.spanAll() produced malformed markup but wasn't exploitable.

What is the Impact of CVE-2026-42338?

Successful exploitation may allow attackers to execute arbitrary client-side script code, hijack user sessions, deface web pages, or redirect users to malicious sites.

What is the Exploitability of CVE-2026-42338?

Exploitation requires an application to pass untrusted input to the Address6 constructor and then render the output of affected methods (like group(), link(), or AddressError.parseMessage) directly as HTML (e.g., via innerHTML). No authentication or special privileges are required for the injection itself, as it relies on how the application handles untrusted input. The access is remote, as the attacker provides the malicious input. The primary constraint is the existence of the vulnerable rendering pattern in the consuming application, which the vendor indicates is rare. The risk is heightened if an application explicitly utilizes these specific methods with user-controlled data in an HTML context.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-42338?

Available Upgrade Options

  • ip-address
    • <10.1.1 → Upgrade to 10.1.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-42338?

Similar Vulnerabilities: CVE-2023-38407 , CVE-2023-50478 , CVE-2023-49527 , CVE-2023-48795 , CVE-2023-48766

All Rights reserved 2025
Privacy Policy