CVE-2021-43616
npm: npm ci succeeds when package-lock.json doesn't match package.json
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
** EN DISPUTA ** El comando npm ci en npm versiones 7.x y 8.x hasta 8.1.3, procede con una instalación incluso si la información de dependencia en package-lock.json difiere de package.json. Este comportamiento es incoherente con la documentación, y facilita a atacantes la instalación de malware que se supone que ha sido bloqueado por un requisito de coincidencia de versión exacta en package-lock.json. NOTA: El equipo de npm cree que esto no es una vulnerabilidad. Requeriría que alguien hiciera ingeniería social de package.json que tiene diferentes dependencias que package-lock.json. Ese usuario tendría que tener acceso al sistema de archivos o de escritura para cambiar las dependencias. El equipo de npm afirma que evitar que los actores maliciosos realicen ingeniería social u obtengan acceso al sistema de archivos está fuera del alcance de la CLI de npm
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-13 CVE Reserved
- 2021-11-13 CVE Published
- 2024-07-29 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (12)
| URL | Date | SRC |
|---|---|---|
| https://github.com/icatalina/CVE-2021-43616 | 2024-08-04 | |
| https://github.com/npm/cli/issues/2701 | 2024-08-04 | |
| https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f | 2024-05-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Npmjs Search vendor "Npmjs" | Npm Search vendor "Npmjs" for product "Npm" | >= 7.0.0 <= 7.24.2 Search vendor "Npmjs" for product "Npm" and version " >= 7.0.0 <= 7.24.2" | - |
Affected
| ||||||
| Npmjs Search vendor "Npmjs" | Npm Search vendor "Npmjs" for product "Npm" | >= 8.0.0 <= 8.1.3 Search vendor "Npmjs" for product "Npm" and version " >= 8.0.0 <= 8.1.3" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Next Generation Application Programming Interface Search vendor "Netapp" for product "Next Generation Application Programming Interface" | - | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||