CVE-2018-13797

CRITICAL

Node-macaddress < 0.2.9 - OS Command Injection

Title source: rule

Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Exploits (1)

nomisec WORKING POC

by dsp-testing · poc

https://github.com/dsp-testing/CVE-2018-13797

View Code ZIP pw:eip

References (4)

[Patch, Third Party Advisory] https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

[Third Party Advisory] https://github.com/scravy/node-macaddress/pull/20/

[Patch, Release Notes, Third Party Advisory] https://github.com/scravy/node-macaddress/releases/tag/0.2.9

[Exploit, Third Party Advisory] https://news.ycombinator.com/item?id=17283394

Scores

CVSS v3 9.8

EPSS 0.1129

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

node-macaddress_project/node-macaddress < 0.2.9

npm/macaddress 0 - 0.2.9npm

Published Jul 10, 2018

Tracked Since Feb 18, 2026