netmask is vulnerable to server-side request forgery (SSRF). The package is not able to differentiate private IP addresses as external IP addresses, and would allow an attacker to trick the application into parsing an IP address incorrectly. Successful exploitation of the vulnerability depends on how the package is used and possible attacks include server-side request forgery (SSRF) and remote/local file inclusion.
github.com/advisories/GHSA-pch5-whg9-qr2r
github.com/rs/node-netmask
github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/
security.netapp.com/advisory/ntap-20210528-0010/
www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
www.npmjs.com/package/netmask