Description
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The library exposes a client‑side XSS vulnerability. The Address6.group(), Address6.link(), and certain error outputs build HTML strings that are returned to the caller without escaping any data that could originate from a user. An application that passes untrusted input to these methods and then injects the returned markup into a page using innerHTML or a similar technique can execute arbitrary JavaScript in the user’s browser. The flaw is a classic DOM‑based XSS identified as CWE‑79. No direct exploitation code is supplied; the impact depends on the consuming application’s rendering logic.

Affected Systems

The affected component is the JavaScript library ip-address developed by beaugunderson. Versions prior to 10.1.1 are vulnerable. Any project that incorporates or depends on these versions, whether on the server side or client side, is potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented yet. The likely attack vector is through a web application that integrates the library and renders its output as raw HTML – for example, inserting the output of Address6.group() or Address6.link() into a DOM element via innerHTML. An attacker would need to supply crafted input that contains the desired script payload and then trigger the rendering of the unescaped content to compromise the victim’s browser. The vulnerability does not require privileged access or extra execution beyond the client’s context.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ip-address library to version 10.1.1 or later.
  • Validate or sanitize any HTML produced by the library before inserting it into the DOM; prefer setting textContent instead of innerHTML.
  • If an immediate library upgrade is not feasible, replace ip-address with a trusted library that automatically escapes its HTML output or refactor the application to avoid rendering raw markup from the library.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v2v4-37r5-5v8g ip-address has XSS in Address6 HTML-emitting methods
History

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:beaugunderson:ip-address:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Beaugunderson
Beaugunderson ip-address
Vendors & Products Beaugunderson
Beaugunderson ip-address

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Title ip-address: XSS in Address6 HTML-emitting methods
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Beaugunderson Ip-address
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:46:50.469Z

Reserved: 2026-04-26T13:26:14.514Z

Link: CVE-2026-42338

cve-icon Vulnrichment

Updated: 2026-05-13T14:46:43.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:41.130

Modified: 2026-05-19T20:04:05.337

Link: CVE-2026-42338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:15Z

Weaknesses