CVE-2024-21488

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/network

Identifiers

GHSA-vvh2-82c7-ppfg, CVE-2024-21488

Package Slug

npm/network

Vulnerability

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

Versions of the package network before 0.7.0 is vulnerable to Arbitrary Command Injection due to use of the childprocess exec function without input sanitization. If (attacker-controlled) user input is given to the macaddress_for function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

Affected Versions

All versions before 0.7.0

Solution

Upgrade to version 0.7.0 or above.

Last Modified

2024-01-31

source