Even worse, the CVE is effectively “if you use the package wrong, you get weird results”.
The affected method has signature function isPrivate(ip: string): boolean
. Passing in a hex number is not a string, and a method (toString
) exists for this.
They might be printed on there, but as long as it looks like it has wifi (pointy units or the wifi symbol on your phone), people will buy it.
802.11 isn’t anywhere near common knowledge. That’s why it was named WiFi and trademarked to begin with.