// For flags

CVE-2021-39135

UNIX Symbolic Link (Symlink) Following in @npmcli/arborist

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.

"@npmcli/arborist", la biblioteca que calcula los árboles de dependencia y maneja la jerarquía de carpetas node_modules para la interfaz de línea de comandos de npm, tiene como objetivo garantizar que se cumplan los contratos de dependencia de los paquetes, y que la extracción del contenido de los paquetes sea llevada a cabo siempre en la carpeta esperada. Esto es conseguido extrayendo el contenido de los paquetes en la carpeta "node_modules" de un proyecto. Si la carpeta "node_modules" del proyecto root o cualquiera de sus dependencias se sustituye de algún modo por un enlace simbólico, podría permitir a Arborist escribir las dependencias de los paquetes en cualquier ubicación arbitraria del sistema de archivos. Tenga en cuenta que los enlaces simbólicos contenidos en los artefactos de los paquetes se filtran, por lo que habría que emplear otro medio para crear un enlace simbólico "node_modules". 1. Un script "preinstall" podría sustituir "node_modules" por un enlace simbólico. (Esto es impedido usando "--ignore-scripts".) 2. Un atacante podría suministrar al objetivo un repositorio git, indicándole que ejecute "npm install --ignore-scripts" en root. Esto podría tener éxito, porque "npm install --ignore-scripts" no suele ser capaz de realizar cambios fuera del directorio del proyecto, por lo que podría considerarse seguro. Esto está parcheado en @npmcli/arborist versión 2.8.2 que se incluye en npm versiones v7.20.7 y superiores. Para más información, incluyendo soluciones, consulte la referencia documento GHSA-gmw6-94gg-2rc2

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-08-31 CVE Published
  • 2024-05-16 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
  • CWE-61: UNIX Symbolic Link (Symlink) Following
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Npmjs
Search vendor "Npmjs"
Arborist
Search vendor "Npmjs" for product "Arborist"
< 2.8.2
Search vendor "Npmjs" for product "Arborist" and version " < 2.8.2"
node.js
Affected
in Npmjs
Search vendor "Npmjs"
Npm
Search vendor "Npmjs" for product "Npm"
< 7.20.7
Search vendor "Npmjs" for product "Npm" and version " < 7.20.7"
-
Safe
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
20.3.3
Search vendor "Oracle" for product "Graalvm" and version "20.3.3"
enterprise
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
21.2.0
Search vendor "Oracle" for product "Graalvm" and version "21.2.0"
enterprise
Affected
Siemens
Search vendor "Siemens"
Sinec Infrastructure Network Services
Search vendor "Siemens" for product "Sinec Infrastructure Network Services"
< 1.0.1.1
Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"
-
Affected