Vulnerable Dependency: macaddress
See original GitHub issueHi, apologies if this isn’t the right place for this.
Using create-react-app and running npm audit
(available as npm 6) returns a vulnerable dependency report with Critical tag:
=== npm audit security report ===
Package: macaddress Dependency of: react-scripts Path: react-scripts > css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress More info: https://nodesecurity.io/advisories/654
Issue Analytics
- State:
- Created 5 years ago
- Reactions:8
- Comments:7 (3 by maintainers)
Top Results From Across the Web
macaddress - Snyk Vulnerability Database
version published direct vulnerabilities
0.5.3 22 Jun, 2022 0. C. 0. H. 0. M. 0. L
0.5.2 17 Apr, 2021 0. C. 0. H. 0....
Read more >Critical vulnerability of NPM package macaddress
And once again demonstrates how the JS community is far too dependent on extremely trivial, unsupported, and unaudited libraries.
Read more >InsightVM Scan Engine: Understanding MAC Address Discovery
However, collecting the MAC address with an unauthenticated scan (a scan where no credentials are provided) is less reliable. This is due to ......
Read more >Search Results - CVE
The vulnerability has been patched in the "develop" branch of Contiki-NG, ... Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the ...
Read more >MAC address and IP address binding policy of hack ... - Vulners
1.1 why to bind MAC and IP address Network Security Impact of many factors, IP address theft, or address spoofing is a common...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
From the vulnerability description you linked to:
If you look at the code for
uniqid
you’ll see this is not the case.So there is no actual vulnerability you’re being exposed to.
Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side.
It’s said here:
https://nodesecurity.io/advisories/654
The
macaddress
package exports a method calledone
that takes a single argument. If that argument was supplied by an attacker they could trigger the vulnerability. However, in our case that argument is hardcoded in theuniq
implementation I linked to above:It’s not based on user input and can’t be controlled by an attacker. So there is no vulnerability in this case.
Does this explanation help?