Developers who are in charge of the project from the NPM package manager, released recently released a corrective update to NPM 6.13.4 included in the Node.js delivery and used to distribute JavaScript modules.
This new corrective version of the manager was launched in order to solve three vulnerabilities that allow arbitrary system files to be modified or overwritten when installing a package prepared by an attacker.
CVE-2019-16775
This vulnerability affects NPM CLI versions prior to 6.13.3, well are you they are vulnerable to arbitrary file writing. Packages may create symbolic links to files outside the folder node_modules through the bin field after installation.
A correctly constructed entry in the bin package.json field would allow a package editor to create a symbolic link pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through installation scripts.
CVE-2019-16776
In this vulnerability the NPM CLI versions prior to 6.13.3 are affected by arbitrary file write. Since you cannot prevent access to folders outside the intended node_modules folder through the bin field.
A properly constructed entry in the bin package.json field would allow a package editor to modify and access arbitrary files on a user's system when the package is installed. This behavior is still possible through installation scripts.
In the bin field routes with "/../" were allowed
CVE-2019-16777
Finally, NPM CLI versions prior to 6.13.4 are vulnerable in this vulnerability to an arbitrary file overwrite. Since you cannot prevent other binaries from overwriting existing globally installed binaries.
For example, if a package was installed globally and created a service binary, any subsequent installation packages that also create a service binary will overwrite the old service binary. This behavior is still allowed on local installations and also through installation scripts.
You can only replace files in the destination directory where the executable files are installed (usually / usr, / local, / bin).
Although an important factor for these vulnerabilities is that the person who wants to exploit these flaws would have to have his victim install the package with the specially designed bin entry. However, as we have seen in the past, this is not an insurmountable barrier.
The security team at npm, Inc. has been scanning the registry for examples of this attack, and has not found any packages published in the registry with this exploit. That does not guarantee that it has not been used, but it does mean that it is not currently being used in packages published to the registry.
We will continue to monitor and take action to prevent bad actors from exploiting this vulnerability in the future. However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.
Troubleshooting
As the main solution, it is recommended that you update to the new corrective version as the package.json parsing libraries in use in NPM v6.13.3 were updated in a way that would sanitize and validate all entries in the bin field to remove slashes initials, route entries, and other means of route escape, using the well-tested and highly reliable route utility built into Node.js.
Even if, as a workaround, it can be installed with the option –Ignore-scripts, which prohibits running built-in driver packages.
Without further ado, if you want to know more about the bugs, you can check the details in the npm blog post In the following link.
Finally, for those who want to install the new version, they can do so from the official channels or by choosing to compile from its source code. For this you can follow the instructions in the following link.