link-preview-js vulnerable to IPv6 and internal loopback attacks — CVE-2026-43897
GitHub · GitHub · CVE-2026-43897
ID
CVE-2026-43897
CVE-2026-43897
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.7
8.7
EPSS
0.00041
0.00041
Summary
### Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. ### Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. The regex used for validation has been tightened for IPv6 addresses. The DNS resolving, however, is more…
Product
npm: link-preview-js
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.