cbcvebase.
CVE-2018-13797
published 2018-07-10

CVE-2018-13797: The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than…

PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.66%
93.1th percentile
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiannode-macaddress< node-macaddress 0.2.9-1 (bookworm)node-macaddress 0.2.9-1 (bookworm)
node-macaddress_projectnode-macaddress< 0.2.90.2.9
node-macaddress_projectnode-macaddress>= 0 < 0.2.9-10.2.9-1
node-macaddress_projectnode-macaddress>= 0 < 0.2.9-10.2.9-1
node-macaddress_projectnode-macaddress>= 0 < 0.2.9-10.2.9-1
node-macaddress_projectnode-macaddress>= 0 < 0.2.9-10.2.9-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability arises from use of `exec` instead of `execFile` for running system commands with unsanitized user input in the macaddress Node.js module — monitor for unexpected shell metacharacters or command chaining in network interface name inputs passed to the macaddress module.
  • The fix was introduced in macaddress module version 0.2.9 — flag any Node.js environments still running macaddress versions prior to 0.2.9.
  • The upstream patch commit can be used as a reference diff to identify unpatched deployments or backport status: https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332
  • ·Red Hat Quay uses the macaddress module only as a development dependency, not at runtime — runtime exploitation risk for that product is reduced.
  • ·The vulnerability's scope is local per Debian's security tracker, limiting remote exploitation vectors.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.