CVE-2021-43616Insufficient Verification of Data Authenticity in NPM

CWE-345Insufficient Verification of Data Authenticity6 documents6 sources
Severity
9.8CRITICALNVD
CNA9.0
EPSS
1.9%
top 16.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Npmjs NPMFedoraproject Fedora
Timeline
PublishedNov 13
Latest updateMay 24

Description

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has differe

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Debiannpmjs/npm< 8.4.1~ds-1+2
NVDnpmjs/npm7.0.07.24.2+1

Also affects: Fedora 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-ppxp-px5q-gwqm: The npm ci command in npm 72022-05-24
OSV
CVE-2021-43616: The npm ci command in npm 72021-11-13
CVEList
CVE-2021-43616: The npm ci command in npm 72021-11-13

📋Vendor Advisories

2
Red Hat
npm: npm ci succeeds when package-lock.json doesn't match package.json2021-02-15
Debian
CVE-2021-43616: npm - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installatio...2021
CVE-2021-43616 — Npmjs NPM vulnerability | cvebase