According to the team, the npm CLI client has a security bug which is a combo of file traversal and an arbitrary file (over)write issue.
Attackers can exploit this bug to plant malicious binaries or overwrite files on a victim’s computer. This flaw can be exploited only during the installation of a boobytrapped npm package via the npm CLI.
Two Vulnerability Found
To include packages from npm in the code, developers list them in a file called package.json, specifically in a field called bin. All the entries in this field, map a command name to a local file name in the ./node_modules/.bin/ directory in the developer’s project folder. As a part of its management activities, npm can overwrite those files with new versions.
One of the bugs allows an attack known as binary planting. npm CLI versions prior to 6.13.3 let packages access folders outside the intended folder by manipulating paths in the bin field.
This allows a bad actor to overwrite a clean file with a malicious one anywhere on the victim’s system, or to create a new file altogether.
The second bug was found in bin-links (npm package that manages links from the bin field to the file in ./node_modules/.bin/, also present in npm CLI).
A symlink (symbolic link) is used to manage these files. [Symlink is a file that links to another file or directory using its file path.] The flaw in Bin-links is that it allows packages to overwrite the symlink, even if they did not create it.
While one would have to convince a user to install a file using a manipulated bin entry, to exploit these vulnerabilities; it is entirely possible, says npm.
It’s not just npm
A similar vulnerability got fixed in the 1.21.1, released yesterday. Keep your systems up to date! 🙂 https://t.co/DjpccTrnxJ
— Yarn (@yarnpkg) December 12, 2019
The fix is here
Npm has fixed these issues and warned people to update their npm CLI right away to version 6.13.4.
The team says that they have scanned all packages in its npm registry for bugs and nothing was found. However, that doesn’t give every package a clean bill because it is not impossible to “scan all possible sources of npm packages (mirrors, private registries, git repositories, etc.).”
So it is important to update as soon as possible. Also, it might be worth checking the bin field of package.json files in your project for any suspicious-looking file paths.