Published: 13/11/2021 Updated: 11/04/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The npm ci command in npm 7.x and 8.x up to and including 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for malicious users to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

Vulnerable Product	Search on Vulmon	Subscribe to Product
npmjs npm
netapp next generation application programming interface -
fedoraproject fedora 35

Synopsis Important: nodejs:16 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this upda ...

The npm ci command in npm 7x and 8x through 813 proceeds with an installation even if dependency information in package-lockjson differs from packagejson This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in pa ...

A flaw was found in npm The npm ci command proceeds with an installation even if dependency information in package-lockjson differs from packagejson This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-loc ...

ALAS-2022-214 Amazon Linux 2022 Security Advisory: ALAS-2022-214 Advisory Release Date: 2022-12-06 16:41 Pacific ...

Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701

Repo demonstrating CVE-2021-43616 / npm/cli#2701 Remove the node_modules folder and run npx npm@8 ci, you can see how npm will install version 22x (2216 at the time of this commit) even though package-lockjson requires 200 cat node_modules/shortid/packagejson I've commited the node_modules from the original install so the iss

CWE-345 https://docs.npmjs.com/cli/v7/commands/npm-ci https://github.com/npm/cli/issues/2701 https://github.com/icatalina/CVE-2021-43616 https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0 https://security.netapp.com/advisory/ntap-20211210-0002/https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f https://github.com/npm/cli/issues/2701#issuecomment-972900511 https://docs.npmjs.com/cli/v8/commands/npm-ci https://github.com/npm/cli/issues/2701#issuecomment-979054224 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/https://access.redhat.com/errata/RHSA-2022:4796 https://nvd.nist.gov https://github.com/icatalina/CVE-2021-43616 https://security.archlinux.org/CVE-2021-43616

CVE-2021-43616

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect