Npm patches two serious bugs

The keeper of the internet’s most-often used JavaScript packages has warned users to update due to a serious bug that could enable an attacker to infect them with malicious applications.

Npm is a management service that organises software packages written in the JavaScript language. It is the official package manager for Node.js, which is a framework for JavaScript code that runs outside the browser (on the server, for instance). Developers manage their npm packages via a piece of software called the npm command line interface (CLI).

When developers want to include packages from npm in their code, they list them in a file called package.json, specifically in a field called bin. Entries in that field map a command name to a local file name in the ./node_modules/.bin/ directory in the developer’s project folder. Npm can overwrite those files with new versions as part of its management activities.

Security researcher Daniel Ruf found two vulnerabilities in the npm CLI after some lateral thinking, exploring how malicious packages might harm a system. He published the results of his work in a blog post last Thursday that highlighted two vulnerabilities.

One of these flaws (see the official npm advisory) allowed an attack known as binary planting. Versions of the npm CLI prior to 6.13.3 allow packages to access folders outside the intended folder by manipulating paths in the bin field. It allows an attacker to overwrite a clean file with a malicious one anywhere on the user’s system, or to create a new file where one didn’t exist before.

A second vulnerability exists in bin-links, which is an npm package that manages links from the bin field to the file in ./node_modules/.bin/ , and which the npm CLI also includes. It uses a symlink (symbolic link) to manage these files. A symlink is a file that links to another file or directory using its file path. Bin-links allowed packages to overwrite the symlink, even if they hadn’t created it.

According to Ruf, that’s especially bad for a package manager called pnpm that companies often use for managing JavaScript packages in larger environments because it stores a package only once, rather than storing a separate copy of the package for each project that’s using it. It uses symlinks to link a project to that file, he explains, enabling a globally installed file to alter others anywhere in the user’s /usr/local/bin directory. That’s significant because this folder houses most programs that a normal user might run.

To exploit these vulnerabilities, an attacker would have to persuade a user to install a file using an appropriately crafted bin entry, but this is entirely possible, according to npm.

What to do

These vulnerabilities have the IDs CVE-2019-16775 , 16776 and 16777.

Npm fixed them and warned people in a blog post that they should update their npm CLI now to version 6.13.4.

It also said that while it had scanned all packages in its npm registry for bugs and found them clean, that doesn’t give every package a clean bill of health, explaining:

We cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.

It might also be worth checking the bin field in your projects’ package.json files for any dodgy-looking file paths.