Description
Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.
Published: 2026-05-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Link Preview JS extracts metadata from URLs. Prior to version 4.0.1 the library did not validate or restrict IPv6 loopback or DNS resolutions that could target internal IP addresses. A malicious URL supplied to the library could therefore cause it to contact internal network resources, causing the application to expose or download internal data. The vulnerability enables an attacker to obtain data that should otherwise remain private, compromising confidentiality.

Affected Systems

The affected product is OP‑Engineering’s link‑preview‑js library. All releases before 4.0.1 are vulnerable; patching to 4.0.1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 8.7 represents high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation. Nonetheless, the likely attack vector is when an application processes a user‑supplied URL; the attacker constructs a link that resolves to an internal address, and the library inadvertently contacts that address, leaking data. The risk remains significant for systems that expose the library to untrusted input or that have sensitive internal resources accessible via network calls.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade link-preview-js to version 4.0.1 or later
  • Validate URLs to prevent internally routed addresses before they reach the library, ensuring loopback and private IPs are blocked.
  • Enable network firewall or sandboxing to restrict the library’s outbound connections to only trusted external IP ranges, preventing accidental internal network access.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4gp8-rjrq-ch6q link-preview-js vulnerable to IPv6 and internal loopback attacks
History

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.
Title Link Preview JS: vunerable to IPv6 and internal loopback attacks
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T21:14:40.495Z

Reserved: 2026-05-04T16:11:33.085Z

Link: CVE-2026-43897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:14.207

Modified: 2026-05-11T22:22:14.207

Link: CVE-2026-43897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses