According to the company, npm versions prior to 6.13.4 made it possible for a globally-installed package to overwrite an existing binary in the target location. Npm is recommending an to update to npm v6.13.4 as soon as possible to fix the vulnerability. Additionally, versions prior to 6.13.3 and versions of yarn prior to 1.21.1, a “”properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed,” the team wrote in a post.
Although npm did not find any published packages in the registry with this exploit, the company said it can’t guarantee it hasn’t been used.
According to npm, the package.json parsing libraries in use in npm v6.13.3 were updated such that they would sanitize and validate all entries in the bin field to remove leading slashes, . and .. path entries, and other means of path escape, using the tested and reliable path utility built into Node.js.
The fix was reviewed by npm, Inc.’s security team, and showed that it prevented the arbitrary path manipulation reported.
With the vulnerability fix in the latest update, binary entries of top-level globally installed packages will only overwrite existing binary files if they are currently installed on behalf of the same package being installed.
“We will continue monitoring, and will take action to prevent any bad actors from exploiting this vulnerability in the future. However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible,” npm wrote.