Homepage
About Snyk

Time of Check Time of Use (TOCTOU) Affecting chownr package, versions <1.1.0

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.04% (6th percentile)
Expand this section
NVD
2.5 low
Expand this section
Red Hat
7.7 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:chownr:20180731
  • published 31 Jul 2018
  • disclosed 31 Jul 2018
  • credit Jeff Epler
Report a new vulnerability Found a mistake?

Introduced: 31 Jul 2018

CVE-2017-18869 Open this link in a new tab
CWE-264 Open this link in a new tab

How to fix?

Upgrade chownr to version 1.1.0 or higher.

Overview

chownr is a package that takes the same arguments as fs.chown()

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU). Affected versions of this package are vulnerable toTime of Check Time of Use (TOCTOU) attacks.

It does not dereference symbolic links and changes the owner of the link, which can trick it into descending into unintended trees if a non-symlink is replaced by a symlink at a critical moment:

      fs.lstat(pathChild, function(er, stats) {
        if (er)
          return cb(er)
        if (!stats.isSymbolicLink())
          chownr(pathChild, uid, gid, then)

References