The issue impacts versions of npm prior to 6.13.3 and versions of yarn prior to 1.21.1, and it could be exploited through a specially crafted entry in the package.json bin field. npm v6.13.4 addresses the vulnerability.
Additionally, in all of the affected versions of npm, as well as in all versions of yarn to date, a globally-installed package with a binary entry could overwrite an existing binary in the target install location (basically, any file in /usr/local/bin).
For both of these issues, a mitigating factor is that a malicious actor exploiting them would need to convince the victim into installing the package with the specially crafted bin entry.
“The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” npm says.
To address the vulnerability, the package.json parsing libraries used in npm were updated to sanitize and validate all entries in the bin field. Thus, leading slashes, along with . and .. path entries, are now removed, and the same applies to other means of path escape.
Additionally, the bin script linking libraries in npm v6.13.4 were updated to only overwrite existing binary files currently installed on behalf of the same package.
The npm security team reviewed both fixes and assessed that they successfully patch the two vulnerabilities.