Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-43616

Date: November 13, 2021

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

Language: JS

Severity Score

Related Resources (17)

https://github.com/npm/cli/issues/2701#issuecomment-979054224
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/
https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0
https://docs.npmjs.com/cli/v7/commands/npm-ci
https://github.com/npm/cli/issues/2701#issuecomment-972900511
https://access.redhat.com/security/cve/CVE-2021-43616
https://security.alpinelinux.org/vuln/CVE-2021-43616
https://nvd.nist.gov/vuln/detail/CVE-2021-43616
https://people.canonical.com/~ubuntu-security/cve/CVE-2021-43616
https://security.netapp.com/advisory/ntap-20211210-0002/
https://github.com/npm/cli/issues/2701
https://security-tracker.debian.org/tracker/CVE-2021-43616
https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f
https://github.com/icatalina/CVE-2021-43616
https://docs.npmjs.com/cli/v8/commands/npm-ci
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/
https://www.mend.io/vulnerability-database/CVE-2021-43616

Severity Score

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us