Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable Dependency: macaddress

See original GitHub issue

Hi, apologies if this isn’t the right place for this.

Using create-react-app and running npm audit (available as npm 6) returns a vulnerable dependency report with Critical tag:

=== npm audit security report ===

Package: macaddress Dependency of: react-scripts Path: react-scripts > css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress More info: https://nodesecurity.io/advisories/654

Issue Analytics

State:
Created 5 years ago
Reactions:8
Comments:7 (3 by maintainers)

Top GitHub Comments

7reactions

gaearoncommented, May 18, 2018

From the vulnerability description you linked to:

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

If you look at the code for uniqid you’ll see this is not the case.

So there is no actual vulnerability you’re being exposed to.

Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side.

3reactions

gaearoncommented, May 22, 2018

It’s said here:

https://nodesecurity.io/advisories/654

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

The macaddress package exports a method called one that takes a single argument. If that argument was supplied by an attacker they could trigger the vulnerability. However, in our case that argument is hardcoded in the uniq implementation I linked to above:

// ...
var mac = typeof __webpack_require__ !== 'function' ? require('macaddress').one(macHandler) : null ;
// ...
function macHandler(error){
  // ...
}

It’s not based on user input and can’t be controlled by an attacker. So there is no vulnerability in this case.

Does this explanation help?

Top Results From Across the Web

macaddress - Snyk Vulnerability Database

version published direct vulnerabilities 0.5.3 22 Jun, 2022 0. C. 0. H. 0. M. 0. L 0.5.2 17 Apr, 2021 0. C. 0. H. 0....

Critical vulnerability of NPM package macaddress

And once again demonstrates how the JS community is far too dependent on extremely trivial, unsupported, and unaudited libraries.

InsightVM Scan Engine: Understanding MAC Address Discovery

However, collecting the MAC address with an unauthenticated scan (a scan where no credentials are provided) is less reliable. This is due to ......

Search Results - CVE

The vulnerability has been patched in the "develop" branch of Contiki-NG, ... Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the ...

MAC address and IP address binding policy of hack ... - Vulners

1.1 why to bind MAC and IP address Network Security Impact of many factors, IP address theft, or address spoofing is a common...