Skip to content

Security

mendsec edited this page Jun 23, 2026 · 1 revision

Security

Supported Versions

Only the latest release receives security updates.

Version Supported
v0.2.x ✅ Supported
v0.1.x ❌ Upgrade required

Reporting a Vulnerability

Do not open public GitHub issues for security vulnerabilities.

Contact the maintainer privately via the same channels used for catnet-core. The security policies apply identically across the entire CatNet ecosystem.

Security Properties of catnet

Supply Chain

  • catnet has three production dependencies: catnet-core, Cobra, and pflag.
  • catnet itself has zero transitive dependencies beyond Cobra and pflag.
  • catnet-core has zero external dependencies.
  • govulncheck runs weekly in CI on catnet-core.

Input Handling

  • All IP targets are validated through catnet-core's ValidateIPv4 before any network operation.
  • CIDRs are limited to a /16 maximum (65,536 hosts) to prevent accidental OOM.

CSV Injection

The exporter sanitises fields starting with formula-trigger characters (=, +, -, @, \t, \r) per OWASP CSV Injection guidance.

Privilege Requirements

ICMP ping requires raw socket access on most OS configurations:

OS Requirement
Linux Root, or grant CAP_NET_RAW capability
macOS Root, or setuid-root binary
Windows Standard user may be sufficient depending on UAC configuration

Network Scope Warning

catnet performs active network scanning. Always obtain written authorisation before scanning networks you do not own.

Clone this wiki locally