CVE-2018-13797
CRITICAL9.8EPSS 11.3%Command Injection in macaddress
Published: 9/6/2018Modified: 4/28/2026
Description
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Affected packages (2)
- Debian/node-macaddressfrom 0, < 0.2.9-1
- npm/macaddressfrom 0, < 0.2.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (10)
- ADVISORYhttps://github.com/advisories/GHSA-pp57-mqmh-44h7
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-13797
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-13797
- PATCHhttps://github.com/scravy/node-macaddress
- WEBhttps://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332
- WEBhttps://github.com/scravy/node-macaddress/pull/20
- WEBhttps://github.com/scravy/node-macaddress/releases/tag/0.2.9
- WEBhttps://hackerone.com/reports/319467
- WEBhttps://news.ycombinator.com/item?id=17283394
- WEBhttps://www.npmjs.com/advisories/654