Cybersecurity researchers at GitHub have uncovered arbitrary code execution vulnerabilities in the open-source Node.js packages, "tar" and "@npmcli/arborist,".
The tar package has accounted for 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week. The vulnerabilities in Node.js packages impact both Windows and Unix-based users, and if left unpatched, can be abused by threat actors to gain arbitrary code execution on a system installing unauthenticated npm packages.
Bug bounty hunters received $14,500 for ZIP slips
During the past two months –July and August – security researchers and bug bounty hunters Robert Chen and Philip Papurt discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.
Upon the discovery of these vulnerabilities, the security researchers privately reported npm via one of GitHub's bug bounty programs. Further review of their reports led the GitHub security team to discover some more high-severity vulnerabilities in these cross-platform packages. As a sign of gratitude, both Chen and Papurt received a total of $14,500 incentive from the GitHub security team for their efforts to keep GitHub secure.
Node.js package tar continues to be a core dependency for installers that require unpacked npm packages post-installation. While the arborist package is a core dependency relying on npm CLI and manages node_modules trees.
These ZIP slip vulnerabilities can be a serious concern for developers installing untrusted npm packages using the npm CLI, or using "tar" to extract untrusted packages. By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools. Ideally, the tools used to extract these archives should ensure that malicious paths do not overwrite existing files in the file system, especially sensitive files.
However, the npm package when extracted could overwrite arbitrary files with the rights of the user running the npm install command due to the vulnerabilities mentioned below:
"CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install. Some of these issues may result in arbitrary code execution, even if you are using --ignore-scripts to prevent the processing of package lifecycle scripts," explains Mike Hanley, Chief Security Officer at GitHub.