CVE-2026-42338 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42338	MEDIUM	ip-address	10.1.0	10.1.1	2026-05-12T20:16:41.13Z	2026-05-13T10:18:32.545471113Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:92dae8302a45e8fd81ee3814c6fb8f4fa8cc8a89dd78dfbefc403a90b07e1fbc
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47

---

Description

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.

---

Remediation Steps

• Update the affected package ip-address from version 10.1.0 to 10.1.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.