The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
{ "binaries": [ { "binary_version": "0.2.8-2", "binary_name": "node-macaddress" } ] }