CVE-2026-42338 Overview
CVE-2026-42338 is a cross-site scripting (XSS) vulnerability [CWE-79] in the ip-address JavaScript library, used for parsing and manipulating IPv4 and IPv6 addresses. Versions prior to 10.1.1 fail to HTML-escape attacker-controlled content in the Address6.group() and Address6.link() methods. The AddressError.parseMessage thrown by the Address6 constructor can also embed unescaped input in one code branch. Applications that pass untrusted input to Address6 and render the output through HTML sinks such as innerHTML are exposed to script injection. The maintainers fixed the issue in version 10.1.1.
Critical Impact
Attackers can inject arbitrary JavaScript into applications that render Address6 output as HTML, enabling session hijacking, credential theft, and unauthorized actions in the victim's browser context.
Affected Products
- ip-address npm library versions prior to 10.1.1
- JavaScript applications using Address6.group() for HTML rendering
- JavaScript applications using Address6.link() for HTML rendering
Discovery Timeline
- 2026-05-12 - CVE-2026-42338 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42338
Vulnerability Analysis
The vulnerability resides in the ip-address library's handling of IPv6 address rendering helpers. The Address6.group() and Address6.link() methods return HTML strings that embed input characters without applying entity encoding. When the library throws an AddressError on invalid input, one branch of parseMessage similarly includes raw input in the error text.
An application becomes vulnerable when it passes untrusted user input to the Address6 constructor and then renders the returned HTML, or the caught error's parseMessage, through a sink like Element.innerHTML. Because the library produces an HTML string directly, downstream developers may reasonably assume the output is already safe, removing the prompt to apply additional sanitization.
Successful exploitation executes attacker-supplied JavaScript in the origin of the vulnerable application. This enables theft of session cookies, manipulation of the DOM, and actions performed on behalf of the authenticated user.
Root Cause
The root cause is missing output encoding in string-building code paths that return HTML markup. The affected functions concatenate user-controlled segments into HTML without escaping <, >, ", ', or &. The parseMessage branch suffers the same encoding gap when constructing error text from invalid input.
Attack Vector
Exploitation requires an application that (1) accepts attacker-controlled strings as input to Address6 and (2) renders the returned HTML or thrown error message into a DOM sink that interprets HTML. An attacker submits a crafted IPv6-like string containing HTML or script payload syntax. The application calls Address6.group(), Address6.link(), or catches the resulting AddressError, then writes the unescaped output to the page. The browser parses the injected markup and executes the attacker's script.
No verified public proof-of-concept code is available. See the GitHub Security Advisory for maintainer-provided technical details.
Detection Methods for CVE-2026-42338
Indicators of Compromise
- Unexpected <script> tags, event handlers, or HTML entities appearing in rendered IPv6 address output
- Outbound requests from user browsers to attacker-controlled domains following IP-address input submission
- Browser console errors or Content Security Policy (CSP) violation reports referencing inline script execution on pages that render Address6 output
Detection Strategies
- Inventory dependencies and flag any project with ip-address resolved below version 10.1.1 in package-lock.json or yarn.lock
- Perform static analysis to identify calls to Address6.group(), Address6.link(), or AddressError.parseMessage whose return values flow to innerHTML, outerHTML, document.write, or framework dangerouslySetInnerHTML sinks
- Add unit tests that submit XSS payloads such as <img src=x onerror=alert(1)> to Address6 and assert that DOM output contains escaped entities
Monitoring Recommendations
- Deploy a strict Content Security Policy that blocks inline scripts and unsanctioned script sources to limit exploitation impact
- Monitor web application firewall (WAF) and CSP violation reports for script-injection patterns targeting IP-address input fields
- Log and alert on client-side errors emitted from pages that render IPv6 address data
How to Mitigate CVE-2026-42338
Immediate Actions Required
- Upgrade ip-address to version 10.1.1 or later in all JavaScript projects
- Audit application code for rendering of Address6.group(), Address6.link(), and caught AddressError.parseMessage values through HTML sinks
- Apply server-side or client-side HTML escaping to any IP-address-derived content before insertion into the DOM
Patch Information
The maintainer fixed CVE-2026-42338 in ip-address version 10.1.1 by HTML-escaping attacker-controlled content in Address6.group(), Address6.link(), and the affected AddressError.parseMessage branch. Refer to the GitHub Security Advisory GHSA-v2v4-37r5-5v8g for the official fix details.
Workarounds
- Replace innerHTML assignments with textContent when displaying values derived from Address6 output
- Wrap untrusted input in an explicit HTML-escape function before passing it to Address6 or before rendering library output
- Validate IPv6 input against a strict character allowlist (hexadecimal digits, colons, dots, slashes) before invoking Address6
# Upgrade ip-address to a patched release
npm install ip-address@^10.1.1
# Verify the resolved version
npm ls ip-address
# Audit for known advisories across dependencies
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
