CVE & CISA-KEV Catalog

CVE-2021-43616

CRITICALEPSS 83th pctl
9.0
CVSS v3
NVD

Description

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

How to fix

Remediation Available
npmDebian
Fixed in:8.4.1~ds-1CVE-2021-43616
Fixed in:8.4.1~ds-1CVE-2021-43616
Fixed in:8.4.1~ds-1CVE-2021-43616

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeChanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploit Intelligence

2.53%probability of exploitation in 30 days
83rdpercentile

Elevated risk: more likely to be exploited than 83% of all known CVEs.

References

Embed a live status badge for CVE-2021-43616
CVE-2021-43616 severity badge

Markdown

[![CVE-2021-43616](https://tridentstack.com/cve/badge/CVE-2021-43616.svg)](https://tridentstack.com/cve/CVE-2021-43616)

HTML

<a href="https://tridentstack.com/cve/CVE-2021-43616"><img src="https://tridentstack.com/cve/badge/CVE-2021-43616.svg" alt="CVE-2021-43616"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.