Advisories for Npm/Remark-Images-Download package

2024

Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images

A major blind SSRF has been found in remark-images-download, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network 192.168.1.0/24. A private service serving images is running on 192.168.1.2, and is not expected to be accessed by users. A machine is running remark-images-download on the neighboring …