CVE-2021-27191 — Denial of Service in get-ip-range

Description

The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion. Update get-ip-range dependency to 4.0.0 or above.

How to fix CVE-2021-27191

To remediate CVE-2021-27191, upgrade the affected package to a fixed version below.

—upgrade to 4.0.0 or later

Is CVE-2021-27191 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27191
WEBadvisory.checkmarx.net/advisory/CX-2021-4304
WEBgithub.com/JoeScho/get-ip-range/commit/98ca22b815c77273cbab259811ab0976118e13b6
WEBsecurity.netapp.com/advisory/ntap-20210319-0002