GitHub safety staff has recognized a number of high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” utilized by npm CLI.
The tar package deal receives 20 million weekly downloads on common, whereas arborist will get downloaded over 300,000 instances each week.
The vulnerabilities have an effect on each Home windows and Unix-based customers, and if left unpatched, may be exploited by attackers to attain arbitrary code execution on a system putting in untrusted npm packages.
Bug bounty hunters awarded $14,500 for ZIP slips
Between July and August this yr, safety researchers and bug bounty hunters Robert Chen and Philip Papurt recognized arbitrary code execution vulnerabilities within the open-source Node.js packages, tar and @npmcli/arborist.
On discovery of those vulnerabilities, the researchers privately notified npm through one in every of GitHub’s bug bounty applications.
On additional evaluate of the researchers’ reviews, GitHub safety staff discovered some extra high-severity vulnerabilities within the aforementioned packages, affecting each Home windows and Unix-based programs.
Node.js package deal tar stays a core dependency for installers that have to unpack npm packages post-installation. The package deal can also be utilized by 1000’s of different open supply tasks, and as such receives roughly 20 million downloads each week. The arborist package deal is a core dependency relied on by npm CLI and is used to handle node_modules bushes.
These ZIP slip vulnerabilities pose an issue for builders putting in untrusted npm packages utilizing the npm CLI, or utilizing “tar” to extract untrusted packages.
By default, npm packages are shipped as .tar.gz or .tgz recordsdata that are ZIP-like archives and as such have to be extracted by the set up instruments.
The instruments extracting these archives ought to ideally guarantee any malicious paths inside the archive do not find yourself overwriting present recordsdata, particularly the delicate ones, on the filesystem.
However, due to the vulnerabilities listed under, the npm package deal when extracted may overwrite arbitrary recordsdata with the privileges of the consumer working the npm set up command:
“CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 particularly have a safety impression on the npm CLI when processing a malicious or untrusted npm package deal set up,” explains Mike Hanley, Chief Safety Officer at GitHub.
“A few of these points might lead to arbitrary code execution, even in case you are utilizing –ignore-scripts to forestall the processing of package deal lifecycle scripts.”
GitHub Safety staff thanked each Chen and Papurt for his or her accountable disclosure and awarded them a complete bounty of $14,500 for his or her efforts in retaining GitHub safe.
npm urging customers to repair vulnerabilities
As of yesterday, npm, owned by GitHub, was additionally seen prompting builders to repair these vulnerabilities in a tweet:
motion really helpful: following newly found vulnerabilities in `tar` and `@npmcli/arborist`, we advocate upgrading to the newest variations of @nodejs 12 / 14 / 16 or npm 6 / 7 in addition to updating any dependencies you might have on `tar`. learn extra: https://t.co/t4WaVwJ0mx
— npm (@npmjs) September 8, 2021
Builders ought to improve their tar dependency variations to 4.4.19, 5.0.11, or 6.1.10, and improve @npmcli/arborist model 2.8.2 to patch the vulnerabilities.
Full particulars associated to those vulnerabilities can be found in GitHub’s detailed blog post.