Home/CVE/`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the n
CVE

CVE-2021-39135

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the n

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's node_modules folder. If the node_modules folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system.

Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a node_modules symbolic link would have to be employed. 1. A preinstall script could replace node_modules with a symlink. (This is prevented by using --ignore-scripts.) 2.

An attacker could supply the target with a git repository, instructing them to run npm install --ignore-scripts in the root. This may be successful, because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.

For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.

HIGH · CVSS 8.2 EPSS 0.00211
Schedule remediation
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0

Weakness Classification

CWE-59Improper Link Resolution Before File Access ('Link Following')
CWE-61UNIX Symbolic Link (Symlink) Following

Affected Products & Versions

3
npmjs arborist< 2.8.2
oracle graalvmall versions
siemens sinec infrastructure network services< 1.0.1.1

Affected Packages

1
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
npm @npmcli/arborist HIGH fixed in 2.8.2

Scoring & Timeline

8.2
HIGH · CVSS v3.1 · security-advisories@github.com
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD31 Aug 2021 · 05:15 PM
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Vendor Advisories

12
suse-csafopenSUSE-SU-2024:11616-1
siemens-csafSSA-389290
suse-csafSUSE-SU-2022:0101-1
suse-csafopenSUSE-SU-2021:1574-1
suse-csafopenSUSE-SU-2021:1552-1
🔗

References & Sources

4
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2Third Party Advisory
https://www.npmjs.com/package/%40npmcli/arborist
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin