Original Release date: 25 Mar 2016 | Last revised: 26 Mar 2016
npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem.
npm is the default package manager for Node.js, which is a runtime environment for developing server-side web applications. There are several factors in the npm system that could allow for a worm to compromise the majority of the npm ecosystem:
When these three aspects of npm are combined, it provides the capability for a self-replicating worm. The following steps are an example worm workflow outlined in the report provided by Sam Saccone:
The full report from Sam Saccone is available here in PDF form: npmwormdisclosure.pdf
The timeline provided in the above document is as follows:
Jan 4 2016 Initial disclosure + proof of concept to npm
Jan 5 2016 Private disclosure to Facebook
Jan 7 2016 Response from npm
Jan 8 2016 Confirmation of works as intended no intention to fix at the moment from npm.
Feb 5 2016 Shared the disclosure doc
An attacker may be able to create a self-replicating worm that spreads as users install packages.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|npm||Affected||11 Feb 2016||25 Mar 2016|
If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to David Ross and Sam Saccone for reporting this vulnerability.
This document was written by Will Dormann.
25 Mar 2016
Date First Published:
25 Mar 2016
Date Last Updated:
26 Mar 2016
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/b84gKr9nYpo/319816