CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Npm Patches Vulnerability Allowing Access to User Files

JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system.

The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.

JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system.

The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.

By exploiting the vulnerability, an attacker would be able to “modify and/or gain access to arbitrary files on a user’s system when the package is installed,” npm explains.

Additionally, in all of the affected versions of npm, as well as in all versions of yarn to date, a globally-installed package with a binary entry could overwrite an existing binary in the target install location (basically, any file in /usr/local/bin).

For both of these issues, a mitigating factor is that a malicious actor exploiting them would need to convince the victim into installing the package with the specially crafted bin entry.

“The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” npm says.

To address the vulnerability, the package.json parsing libraries used in npm were updated to sanitize and validate all entries in the bin field. Thus, leading slashes, along with . and .. path entries, are now removed, and the same applies to other means of path escape.

Additionally, the bin script linking libraries in npm v6.13.4 were updated to only overwrite existing binary files currently installed on behalf of the same package.

Advertisement. Scroll to continue reading.

The npm security team reviewed both fixes and assessed that they successfully patch the two vulnerabilities.

Related: GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens

Related: Backdoored Module Removed from npm Registry

Related: Critical Vulnerability Addressed in Popular Code Libraries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.