JavaScript package manager npm last week addressed a vulnerability that could allow a publisher to access files on a user’s system.
The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.
By exploiting the vulnerability, an attacker would be able to “modify and/or gain access to arbitrary files on a user’s system when the package is installed,” npm explains.
Additionally, in all of the affected versions of npm, as well as in all versions of yarn to date, a globally-installed package with a binary entry could overwrite an existing binary in the target install location (basically, any file in /usr/local/bin).
For both of these issues, a mitigating factor is that a malicious actor exploiting them would need to convince the victim into installing the package with the specially crafted bin entry.
“The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” npm says.
To address the vulnerability, the package.json parsing libraries used in npm were updated to sanitize and validate all entries in the bin field. Thus, leading slashes, along with . and .. path entries, are now removed, and the same applies to other means of path escape.
Additionally, the bin script linking libraries in npm v6.13.4 were updated to only overwrite existing binary files currently installed on behalf of the same package.
The npm security team reviewed both fixes and assessed that they successfully patch the two vulnerabilities.
Related: GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens
Related: Backdoored Module Removed from npm Registry
Related: Critical Vulnerability Addressed in Popular Code Libraries
More from Ionut Arghire
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
- Strata Raises $26 Million for Multi-Cloud Identity Management Platform
- Riot Games Says Source Code Stolen in Ransomware Attack
- Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones
- Attacks Targeting Realtek SDK Vulnerability Ramping Up
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
