CVE-2026-43897 Overview
CVE-2026-43897 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in the link-preview-js library, a popular JavaScript package used to extract metadata from web links. Versions prior to 4.0.1 fail to validate IPv6 loopback addresses and do not protect against DNS rebinding attacks. An attacker can supply a URL that resolves to an internal IP address, causing the library to fetch resources from internal infrastructure. This behavior can expose internal services, metadata endpoints, or sensitive data hosted on private networks. The maintainers released version 4.0.1 to address both the IPv6 loopback bypass and the DNS resolution issue.
Critical Impact
Attackers can coerce applications using link-preview-js to issue requests against internal IP ranges, enabling internal data leaks and reconnaissance of private network resources.
Affected Products
- link-preview-js versions prior to 4.0.1
- Applications and services embedding the vulnerable library for URL preview generation
- Server-side Node.js deployments that pass user-supplied URLs to the library
Discovery Timeline
- 2026-05-11 - CVE-2026-43897 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43897
Vulnerability Analysis
The link-preview-js library fetches a remote URL and parses returned HTML to extract preview metadata such as title, description, and images. Prior to version 4.0.1, the library applied checks for IPv4 loopback and private ranges but did not enforce equivalent restrictions on IPv6 addresses. Attackers can supply IPv6 loopback notations such as [::1] or IPv4-mapped IPv6 addresses to reach localhost-bound services that bypass the existing filters.
The library also failed to defend against DNS rebinding. An attacker-controlled hostname can resolve to a public address during initial validation, then resolve to an internal address such as 127.0.0.1, 169.254.169.254, or an RFC1918 range when the actual HTTP request is issued. This time-of-check to time-of-use gap allows requests to reach cloud metadata services and internal management interfaces.
Root Cause
The root cause is incomplete URL and address validation. The library performed string-based checks against the user-supplied URL rather than resolving the hostname and validating every returned address against a deny list that includes IPv6 loopback, link-local, and unique local address ranges.
Attack Vector
Exploitation requires network reachability to an application that exposes link-preview-js functionality, typically through a user-facing field that accepts URLs. The attacker submits a crafted URL pointing to an IPv6 loopback address or to a domain configured for DNS rebinding. The server-side application then issues an HTTP request that lands on internal infrastructure, returning response content or side-channel signals to the attacker. No authentication or user interaction beyond URL submission is required, as reflected by the network attack vector classification. For technical specifics, see the GitHub Security Advisory GHSA-4gp8-rjrq-ch6q and the GitHub Pull Request that implements the fix.
Detection Methods for CVE-2026-43897
Indicators of Compromise
- Outbound HTTP requests from application servers to IPv6 loopback addresses such as [::1] or IPv4-mapped variants like [::ffff:127.0.0.1]
- Application-originated requests to cloud metadata endpoints such as 169.254.169.254 or to RFC1918 ranges that do not match expected backend dependencies
- Repeated DNS lookups for the same hostname returning alternating public and private IP addresses within short windows, indicating DNS rebinding
Detection Strategies
- Inspect application logs for URLs submitted to preview endpoints and correlate against the resolved destination IP at request time
- Apply egress filtering rules that alert when application workloads initiate connections to loopback, link-local, or private address ranges
- Use software composition analysis to identify deployments of link-preview-js at versions below 4.0.1
Monitoring Recommendations
- Monitor DNS resolution telemetry for short TTL responses that toggle between public and internal addresses for the same FQDN
- Track requests originating from server-side rendering or preview services that target cloud metadata IPs
- Establish baselines for outbound traffic destinations from Node.js services and alert on deviation
How to Mitigate CVE-2026-43897
Immediate Actions Required
- Upgrade link-preview-js to version 4.0.1 or later in all dependent projects and rebuild affected services
- Audit package.json and lockfiles across repositories for transitive use of the vulnerable library
- Restrict egress from servers running URL preview functionality to a tightly scoped allow list
Patch Information
The maintainers released the fix in GitHub Release 4.0.1. The corrective changes are visible in the GitHub Commit Update, which expands address validation to cover IPv6 loopback and resolves the DNS rebinding gap by re-validating resolved addresses prior to issuing the outbound request.
Workarounds
- Place a hardened forward proxy between the application and the internet that blocks requests to loopback, link-local, RFC1918, and IPv6 reserved ranges
- Run preview generation in a network namespace or container that has no route to internal management networks or cloud metadata services
- Pre-resolve user-supplied hostnames and reject requests whose resolved addresses fall into private or loopback ranges before passing them to the library
# Configuration example
npm install link-preview-js@4.0.1 --save
npm ls link-preview-js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
