Arbitrary File Write Affecting @npmcli/arborist package, versions <2.8.2
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NPMCLIARBORIST-1579165
- published1 Sept 2021
- disclosed1 Sept 2021
- creditginkoid, chen-robert
Introduced: 1 Sep 2021
CVE-2021-39134 (opens in a new tab)How to fix?
Upgrade @npmcli/arborist to version 2.8.2 or higher.
Overview
@npmcli/arborist is a Manage node_modules trees
Affected versions of this package are vulnerable to Arbitrary File Write. @npmcli/arborist aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.
This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies.
When multiple dependencies differ only in the case of their name, Arborist's internal data structure sees them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allows an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem.