VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 10, 2018· Updated Sep 16, 2024

CVE-2018-13797

CVE-2018-13797

Description

The macaddress module before 0.2.9 for Node.js allows arbitrary command injection via unsanitized input to exec(), enabling remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The macaddress module before 0.2.9 for Node.js allows arbitrary command injection via unsanitized input to exec(), enabling remote code execution.

Vulnerability

The macaddress module for Node.js, versions prior to 0.2.9, is vulnerable to arbitrary command injection. The module uses child_process.exec() with unsanitized user-supplied input as part of the shell command. Specifically, functions like .one(iface, callback) pass the iface parameter directly into a shell command string. Affected versions are those before 0.2.9. The fix changes from exec() to execFile() and passes arguments as an array, preventing shell interpretation of special characters [1][2][3].

Exploitation

An attacker can exploit this vulnerability by providing a crafted input string for the network interface name (e.g., via the iface parameter). Since the input is directly concatenated into a shell command without sanitization, the attacker can inject arbitrary OS commands. No authentication or special privileges are needed beyond the ability to call the affected functions, which may be exposed through a web application or API that uses the module [1][2].

Impact

Successful exploitation allows remote code execution (RCE) on the server running the Node.js application. The attacker gains the ability to execute arbitrary shell commands with the privileges of the Node.js process, potentially leading to full server compromise, data exfiltration, or lateral movement within the network [1].

Mitigation

The vulnerability is fixed in version 0.2.9 of the macaddress module, released on 2018-07-05. Users should upgrade to version 0.2.9 or later. There is no known workaround other than upgrading. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [3][4].

References
  1. NVD - CVE-2018-13797
  2. GitHub - scravy/node-macaddress: Get the MAC addresses (hardware addresses) of the hosts network interfaces.
  3. Merge pull request #20 from flypapertech/fixCommandInjection · scravy/node-macaddress@358fd59
  4. Release v0.2.9 · scravy/node-macaddress

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
macaddressnpm
< 0.2.90.2.9

Affected products

1

Patches

1
358fd594adb1

Merge pull request #20 from flypapertech/fixCommandInjection

https://github.com/scravy/node-macaddressJulian FleischerJun 23, 2018via ghsa
commit
6 files changed · +11 24
  • lib/linux.js+3 3 modified
    @@ -1,11 +1,11 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("cat /sys/class/net/" + iface + "/address", function (err, out) {
+    execFile("cat", ["/sys/class/net/" + iface + "/address"], function (err, out) {
         if (err) {
             callback(err, null);
             return;
         }
         callback(null, out.trim().toLowerCase());
     });
-};
+};
\ No newline at end of file
  • lib/macosx.js+0 16 removed
    @@ -1,16 +0,0 @@
-var exec = require('child_process').exec;
-
-module.exports = function (iface, callback) {
-    exec("networksetup -getmacaddress " + iface, function (err, out) {
-        if (err) {
-            callback(err, null);
-            return;
-        }
-        var match = /[a-f0-9]{2}(:[a-f0-9]{2}){5}/.exec(out.toLowerCase());
-        if (!match) {
-            callback("did not find a mac address", null);
-            return;
-        }
-        callback(null, match[0]);
-    });
-};
  • lib/unix.js+2 2 modified
    @@ -1,7 +1,7 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("ifconfig " + iface, function (err, out) {
+    execFile("ifconfig", [iface], function (err, out) {
         if (err) {
             callback(err, null);
             return;
  • lib/windows.js+2 2 modified
    @@ -1,4 +1,4 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 var regexRegex = /[-\/\\^$*+?.()|[\]{}]/g;
 
@@ -7,7 +7,7 @@ function escape(string) {
 }
 
 module.exports = function (iface, callback) {
-    exec("ipconfig /all", function (err, out) {
+    execFile("ipconfig", ["/all"], function (err, out) {
         if (err) {
             callback(err, null);
             return;
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "macaddress",
-  "version": "0.2.9",
+  "version": "0.2.10",
   "description": "Get the MAC addresses (hardware addresses) of the hosts network interfaces.",
   "main": "index.js",
   "scripts": {
  • .travis.yml+3 0 modified
    @@ -1,4 +1,7 @@
 language: node_js
+os:
+  - linux
+  - osx
 node_js:
   - stable
   - "0.12"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.