CVE-2024-21488
HIGHforkhq/network < 0.7.0 - OS Command Injection via mac_address_for Function
Title source: llmDescription
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
References (6)
Core 6
Core References
Exploit, Mitigation, Third Party Advisory
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
Scores
CVSS v3
7.3
EPSS
0.0327
EPSS Percentile
87.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (4)
None/network
< 0.7.0
None/org.webjars.npm:network
forkhq/network
< 0.7.0
npm/network
0 - 0.7.0npm
Published
Jan 30, 2024
Tracked Since
Feb 18, 2026