CVE-2018-13797

CRITICAL

node-macaddress < 0.2.9 - OS Command Injection via Unsanitized Input to exec Call

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-13797. PoCs published by dsp-testing.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-13797, which involves command injection in the `node-macaddress` library. The exploit leverages platform-specific commands to retrieve MAC addresses, demonstrating the vulnerability.

Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Exploits (1)

nomisec WORKING POC
by dsp-testing · poc
https://github.com/dsp-testing/CVE-2018-13797

This repository contains a proof-of-concept exploit for CVE-2018-13797, which involves command injection in the `node-macaddress` library. The exploit leverages platform-specific commands to retrieve MAC addresses, demonstrating the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: node-macaddress library
No auth needed
Prerequisites: Node.js environment · Access to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/scravy/node-macaddress/pull/20/
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/scravy/node-macaddress/releases/tag/0.2.9
Exploit, Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=17283394

Scores

CVSS v3 9.8
EPSS 0.1129
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
node-macaddress_project/node-macaddress < 0.2.9
npm/macaddress 0 - 0.2.9npm
Published Jul 10, 2018
Tracked Since Feb 18, 2026