Arbitrary File Write Affecting @npmcli/arborist package, versions <2.8.2
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NPMCLIARBORIST-1579165
- published 1 Sep 2021
- disclosed 1 Sep 2021
- credit ginkoid, chen-robert
Introduced: 1 Sep 2021
CVE-2021-39134 Open this link in a new tabHow to fix?
Upgrade @npmcli/arborist to version 2.8.2 or higher.
Overview
@npmcli/arborist is a Manage node_modules trees
Affected versions of this package are vulnerable to Arbitrary File Write. @npmcli/arborist aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.
This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies.
When multiple dependencies differ only in the case of their name, Arborist's internal data structure sees them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allows an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem.