NPM swats path traversal bug that lets evil packages modify, steal files. That's bad for JavaScript crypto-wallets

Trio of vulnerabilities made registry full of uncertain code even more of a risk

On Wednesday, NPM, Inc, the California-based biz that has taken it upon itself to organize the world's JavaScript packages into the npm registry, warned that its command line tool, the npm CLI, has a rather serious security vulnerability. Version 6.13.4 has been rushed out with a fix.

The flaw – also present in less-than-current versions of yarn, a Facebook-spawned open-source alternative client for fetching modules from the registry – could allow a hackers to alter the files on systems of users who have installed a malicious package.

That's a risk that exists independent of this particular vulnerability, given that developers who install npm packages (or third-party libraries in other package management systems) are running code of uncertain origin. But in this instance, the problem resides in the npm client itself.

"In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json 'bin' field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed," NPM's security team said in a blog post.

A separate vulnerability allows the creation of arbitrary symlinks to any file.

Version of npm prior to 6.13.4, and all versions of yarn currently, allow the arbitrary overwriting of an existing binary with another file, but only in the /usr/local/bin directory.

What should happen is that packages should only be allowed access to the node_modules folder in a given app file.

Developer Daniel Ruf identified the security vulnerability and on Thursday published a blog post about his findings.

"The problem is that we can define any (valid) paths for the binary name and the file which is then symlinked," explained Ruf.

And doing so is not particularly difficult. It requires an entry for the "bin" key in package.json, a file that npm uses to convey the metadata about the project and its dependencies. It would look something like this:

"bin": {
        "../some/path": "../some/other/path"
Person asking for payments

NPM today stands for Now Pay Me: JavaScript packaging biz debuts conduit for funding open-source coders


"This is basically everything that is needed to execute these attacks," said Ruf. "What you can do with this depends on the package manager and the result can be pretty bad."

To demonstrate this, he created proof-of-concept exploits that write or overwrite arbitrary files and allow unauthorized file access. As in the "bin" example above, they consist of a JSON key-value pair. A possible consequence of this security failure could be the theft of crypto wallets.

NPM said it has scanned the registry looking for modules that use this attack but hasn't found any. "That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry," NPM's security team said.

So that's all right then. ®

Biting the hand that feeds IT © 1998–2021