CVE & CISA-KEV Catalog

CVE-2021-39135

HIGH
8.2
CVSS v3
NVD

Description

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.

How to fix

Remediation Available
npmDebian
Fixed in:7.24.0+ds-2CVE-2021-39135
Fixed in:7.24.0+ds-2CVE-2021-39135
Fixed in:7.24.0+ds-2CVE-2021-39135

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeChanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityNone

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Exploit Intelligence

0.55%probability of exploitation in 30 days
42ndpercentile

Moderate risk: more likely to be exploited than 42% of all known CVEs.

References

Third-Party Advisory1
Other references1
Embed a live status badge for CVE-2021-39135
CVE-2021-39135 severity badge

Markdown

[![CVE-2021-39135](https://tridentstack.com/cve/badge/CVE-2021-39135.svg)](https://tridentstack.com/cve/CVE-2021-39135)

HTML

<a href="https://tridentstack.com/cve/CVE-2021-39135"><img src="https://tridentstack.com/cve/badge/CVE-2021-39135.svg" alt="CVE-2021-39135"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.