The host is installed with Node.js 14.0.0 before 14.20.0, 16.0.0 before 16.16.0, 18.0.0 before 18.5.0 and is an OS command injection vulnerability. A flaw is present in the application which fails to validate IP address. On successful exploitation, due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks and hence connect to the WebSocket debugger, allowing for arbitrary code execution.