CVE-2022-25876

MEDIUM5.5EPSS 0.07%

Server-Side Request Forgery in link-preview-js

Published: 7/2/2022Modified: 3/13/2026

Description

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

Affected packages (1)

npm/link-preview-jsfrom 0, < 2.1.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25876
PATCHhttps://github.com/ospfranco/link-preview-js
WEBhttps://github.com/ospfranco/link-preview-js/issues/115
WEBhttps://github.com/ospfranco/link-preview-js/pull/117
WEBhttps://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520