GitHub Discovers 7 Code Execution Vulnerabilities in ‘Tar’ and Npm CLI

GitHub security group has discovered some high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI. The tar package collects 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.

The vulnerabilities harm both Windows and Unix-based users, and if left unpatched, can be exploited by threat actors to achieve arbitrary code execution on a system installing unauthenticated npm packages.

Bug bounty hunters awarded $14,500 for ZIP slips

Between July and August this year, security researchers and bug bounty hunters Robert Chen and Philip Papurt identified arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.

On discovery of these vulnerabilities, the researchers privately notified npm via one of GitHub’s bug bounty programs. On further review of the researchers’ reports, the GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.

Node.js package tar continues a core dependency for installers that require unpack npm packages post-installation. The package is also used by thousands of other open-source projects, and as such receives roughly 20 million downloads every week. The arborist package is a core dependency relied on by npm CLI and is used to manage node_modules trees.

These ZIP slip vulnerabilities pose a problem for developers installing untrusted npm packages using the npm CLI or using “tar” to extract untrusted packages. By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools.

The tools extracting these archives should ideally assure any malicious ways within the archive don’t finish up overwriting present files, particularly the sensitive ones, on the filesystem. But, because of the vulnerabilities listed below, the npm package when extracted could overwrite arbitrary files with the privileges of the user running the npm install command:

  • CVE-2021-32803
  • CVE-2021-32804
  • CVE-2021-37701
  • CVE-2021-37712
  • CVE-2021-37713
  • CVE-2021-39134
  • CVE-2021-39135

“CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a safety impact on the npm CLI while processing a malicious or untrusted npm package install,” explains Mike Hanley, Chief Security Officer at GitHub.

“Some of these problems may result in arbitrary code execution, even if you are using –ignore-scripts to restrict the processing of package lifecycle scripts.”

GitHub Security team thanked both Chen and Papurt for their responsible disclosure and awarded them a total bounty of $14,500 for their efforts in keeping GitHub secure.

NPM Urging Users to Fix Vulnerabilities

Npm, owned by GitHub, is also prompting the developers to fix these vulnerabilities ASAP in a tweet:

GitHub-Discovers-7-Code-Execution-Vulnerabilities-in-‘Tar’-and-Npm-CLI-image1

Makers should enhance their tar dependency versions to 4.4.19, 5.0.11, or 6.1.10, and upgrade @npmcli/arborist version 2.8.2 to patch the vulnerabilities. For npm CLI, versions v6.14.15, v7.21.0, or newer contain the fix. Moreover, Node.js version 12, 14, or 16 come with the fixed tar version and can be safely upgraded to, according to GitHub.v

Leave a Reply