CVE-2024-21488 HIGH

CVE-2024-21488

Vendor N/A
Product network
Weakness CWE-77
Published January 30, 2024
Last update June 17, 2025

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

What the vulnerability does

01Description

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

Key dates

02Disclosure timeline

January 30, 2024 CVE published
June 17, 2025 Record updated