Description
All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.
Recommendation
Update the macaddress package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.2.9
- Patched version(s): 0.2.9
References
- GHSA-pp57-mqmh-44h7
- hackerone.com
- www.npmjs.com
- news.ycombinator.com
- CVE-2018-13797
- CWE-78
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- @elgentos/magento2-dev-mcp vulnerable to command injection - CVE-2026-5603
- Command Injection in lodash - CVE-2021-23337
- Command Injection in lodash - lodash-es - CVE-2021-23337
- Command injection in Parse Server through prototype pollution - CVE-2022-24760
You might also like:
- Tags:
- npm
- macaddress
Anything's wrong? Let us know Last updated on January 09, 2023


