link-preview-js vulnerable to IPv6 and internal loopback attacks
The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.
Advisories for Npm/Link-Preview-Js package
2026
2022
Server-Side Request Forgery (SSRF)
The package link-preview-js before 2.1.16 is vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.