Npm: Update JavaScript Package To Avoid ‘Binary Planting’ Bug


Npm, the management service that handles JavaScript packages, has urged users to update to the latest version (6.13.4) to avoid ‘binary planting’ attacks.

For the uninitiated, npm is the official package manager for Node.js — a framework for JavaScript code that runs outside the browser (or on the server). You can manage npm packages via the npm command line interface (CLI).

According to the team, the npm CLI client has a security bug which is a combo of file traversal and an arbitrary file (over)write issue.

Attackers can exploit this bug to plant malicious binaries or overwrite files on a victim’s computer. This flaw can be exploited only during the installation of a boobytrapped npm package via the npm CLI.

Two Vulnerability Found

Daniel Ruf, a German security researcher, found two vulnerabilities in the npm CLI and published the results in a blog post. These vulnerabilities are CVE-2019-1677516776 and 16777.

To include packages from npm in the code, developers list them in a file called package.json, specifically in a field called bin. All the entries in this field, map a command name to a local file name in the ./node_modules/.bin/ directory in the developer’s project folder. As a part of its management activities, npm can overwrite those files with new versions.

One of the bugs allows an attack known as binary planting. npm CLI versions prior to 6.13.3 let packages access folders outside the intended folder by manipulating paths in the bin field.

This allows a bad actor to overwrite a clean file with a malicious one anywhere on the victim’s system, or to create a new file altogether.

The second bug was found in bin-links (npm package that manages links from the bin field to the file in ./node_modules/.bin/, also present in npm CLI).

A symlink (symbolic link) is used to manage these files. [Symlink is a file that links to another file or directory using its file path.] The flaw in Bin-links is that it allows packages to overwrite the symlink, even if they did not create it.

While one would have to convince a user to install a file using a manipulated bin entry, to exploit these vulnerabilities; it is entirely possible, says npm.

It’s not just npm

In addition to npm, yarn, (another package manager for JavaScript) has been also affected. The bug in yarn was fixed earlier this week with the release of yarn 1.21.1.

The fix is here

Npm has fixed these issues and warned people to update their npm CLI right away to version 6.13.4.

The team says that they have scanned all packages in its npm registry for bugs and nothing was found. However, that doesn’t give every package a clean bill because it is not impossible to “scan all possible sources of npm packages (mirrors, private registries, git repositories, etc.).”

So it is important to update as soon as possible. Also, it might be worth checking the bin field of package.json files in your project for any suspicious-looking file paths.

Also Read: Google Chrome 79 Update Has A Bug That Deletes Android App Data
Manisha Priyadarshini

Manisha Priyadarshini

An Editor and a Tech Journalist with a software development background. I am a big fan of technology and memes. At Fossbytes, I cover all aspects of tech but my specific area of interest is Programming and Development.
More From Fossbytes

Latest On Fossbytes

Find your dream job