Description
Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.
Published: 2026-05-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Link Preview JS extracts metadata from URLs. Prior to version 4.0.1 the library did not validate or restrict IPv6 loopback or DNS resolutions that could target internal IP addresses. A malicious URL supplied to the library could therefore cause it to contact internal network resources, causing the application to expose or download internal data. The vulnerability enables an attacker to obtain data that should otherwise remain private, compromising confidentiality.

Affected Systems

The affected product is OP‑Engineering’s link‑preview‑js library. All releases before 4.0.1 are vulnerable; patching to 4.0.1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 8.7 represents high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation. Nonetheless, the likely attack vector is when an application processes a user‑supplied URL; the attacker constructs a link that resolves to an internal address, and the library inadvertently contacts that address, leaking data. The risk remains significant for systems that expose the library to untrusted input or that have sensitive internal resources accessible via network calls.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade link-preview-js to version 4.0.1 or later
  • Validate URLs to prevent internally routed addresses before they reach the library, ensuring loopback and private IPs are blocked.
  • Enable network firewall or sandboxing to restrict the library’s outbound connections to only trusted external IP ranges, preventing accidental internal network access.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4gp8-rjrq-ch6q link-preview-js vulnerable to IPv6 and internal loopback attacks
History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Op-engineering
Op-engineering link-preview-js
Vendors & Products Op-engineering
Op-engineering link-preview-js

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1.
Title Link Preview JS: vunerable to IPv6 and internal loopback attacks
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Op-engineering Link-preview-js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:40:05.641Z

Reserved: 2026-05-04T16:11:33.085Z

Link: CVE-2026-43897

cve-icon Vulnrichment

Updated: 2026-05-12T16:39:59.770Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:14.207

Modified: 2026-05-13T18:27:58.823

Link: CVE-2026-43897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:19Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)