Vulnerability Note VU#319816
npm fails to restrict the actions of malicious npm packages
npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem.
npm is the default package manager for Node.js, which is a runtime environment for developing server-side web applications. There are several factors in the npm system that could allow for a worm to compromise the majority of the npm ecosystem:
When these three aspects of npm are combined, it provides the capability for a self-replicating worm. The following steps are an example worm workflow outlined in the report provided by Sam Saccone:
The full report from Sam Saccone is available here in PDF form: npmwormdisclosure.pdf
The timeline provided in the above document is as follows:
Jan 1 2016 Initial discovery of exploit
Jan 4 2016 Initial disclosure + proof of concept to npm
Jan 5 2016 Private disclosure to Facebook
Jan 7 2016 Response from npm
Jan 8 2016 Confirmation of works as intended no intention to fix at the moment from npm.
Feb 5 2016 Shared the disclosure doc
An attacker may be able to create a self-replicating worm that spreads as users install packages.
The CERT/CC is currently unaware of a practical solution to this problem. Please see the npm Blog for details and also consider the following workarounds:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|npm||Affected||11 Feb 2016||25 Mar 2016|
CVSS Metrics (Learn More)
Thanks to David Ross and Sam Saccone for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 25 Mar 2016
- Date First Published: 25 Mar 2016
- Date Last Updated: 26 Mar 2016
- Document Revision: 44
If you have feedback, comments, or additional information about this vulnerability, please send us email.