GitHub has resolved numerous vulnerabilities in Node.js packages tar and @npmcli/arborist, with the worst allowing file overwrites and arbitrary code execution.
On Wednesday, GitHub said the company received reports from Robert Chen and Philip Papurt, between July 21 and August 13, of security flaws impacting the packages via one of GitHub's bug bounty programs, which give researchers credit and financial rewards for responsibly disclosing vulnerabilities to the vendor.
GitHub's Chief Security Officer Mike Hanley says that these reports prompted GitHub to conduct its own review of tar and @npmcli/arborist, leading to the discovery of additional security issues.
The tar Node.js package is used to mimic the tar archive system on Unix, whereas @npmcli/arborist has been developed to manage node_modules trees. Tar is a core npm dependency for npm package extraction, and @npmcli/arborist is a core dependency for npm CLI.
Node-tar has accounted for 22,390,735 weekly downloads, at the time of writing, whereas @npmcli/arborist has been downloaded 405,551 times over the past week.
In total, seven vulnerabilities have been verified through the bug bounty reports and the security team at GitHub's findings:
Tar:
@npmcli/arborist:
"CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install," GitHub says. "Some of these issues may result in arbitrary code execution, even if you are using --ignore-scripts to prevent the processing of package lifecycle scripts."
To make developers aware of these bugs, GitHub created 16.7 million Dependabot alerts and released 1.8 million notifications.
GitHub has requested project managers that use npm CLI and download it directly to upgrade to v6.14.15, v7.21.0, or newer. If Node.js is in use, the organization recommends an upgrade to the latest releases of Node 12, 14, or 16, all of which contain patches to resolve the security flaws. Tar users are now able to upgrade to versions 4.4.19, 5.0.11, and 6.1.10. The latest version of @npmcli/arborist available is 2.8.3.
Chen and Papurt have been awarded a combined bounty of$14,500 for their reports.
Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0