Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Npm Patches Vulnerability Allowing Access to User Files

JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system.

The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.

JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system.

The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.

By exploiting the vulnerability, an attacker would be able to “modify and/or gain access to arbitrary files on a user’s system when the package is installed,” npm explains.

Additionally, in all of the affected versions of npm, as well as in all versions of yarn to date, a globally-installed package with a binary entry could overwrite an existing binary in the target install location (basically, any file in /usr/local/bin).

For both of these issues, a mitigating factor is that a malicious actor exploiting them would need to convince the victim into installing the package with the specially crafted bin entry.

“The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” npm says.

To address the vulnerability, the package.json parsing libraries used in npm were updated to sanitize and validate all entries in the bin field. Thus, leading slashes, along with . and .. path entries, are now removed, and the same applies to other means of path escape.

Additionally, the bin script linking libraries in npm v6.13.4 were updated to only overwrite existing binary files currently installed on behalf of the same package.

Advertisement. Scroll to continue reading.

The npm security team reviewed both fixes and assessed that they successfully patch the two vulnerabilities.

Related: GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens

Related: Backdoored Module Removed from npm Registry

Related: Critical Vulnerability Addressed in Popular Code Libraries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.