CVE-2021-39134
📋 TL;DR
This vulnerability in @npmcli/arborist allows attackers to write arbitrary files to any location on case-insensitive filesystems by exploiting case-sensitivity conflicts in dependency names. Anyone using npm v7.20.6 or earlier on macOS, Windows, or other case-insensitive filesystems is potentially affected.
💻 Affected Systems
- npm
- @npmcli/arborist
📦 What is this software?
Graalvm by Oracle
Graalvm by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file write to critical system locations, potentially leading to remote code execution or data destruction.
Likely Case
Local privilege escalation, data corruption, or malicious package installation through file overwrite attacks.
If Mitigated
Limited impact if proper file permissions and isolation are in place, but still risk of package integrity compromise.
🎯 Exploit Status
Exploitation requires creating malicious npm packages with specific dependency naming patterns. Proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: npm v7.20.7 or later, @npmcli/arborist 2.8.2 or later
Vendor Advisory: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
Restart Required: No
Instructions:
1. Update npm globally: npm install -g npm@latest
2. Verify update: npm --version
3. For projects, update package-lock.json and reinstall dependencies
🔧 Temporary Workarounds
Use case-sensitive filesystem
allRun npm on case-sensitive filesystem (Linux default, macOS APFS case-sensitive, Windows with WSL2)
Audit npm packages
allReview and audit all npm packages before installation, especially from untrusted sources
npm audit
npm ls
🧯 If You Can't Patch
- Restrict npm package installation to trusted sources only
- Implement strict file permissions and isolation for npm operations
🔍 How to Verify
Check if Vulnerable:
Check npm version: npm --version. If version is 7.20.6 or earlier, you are vulnerable on case-insensitive filesystems.Check Version:
npm --versionVerify Fix Applied:
Verify npm version is 7.20.7 or later: npm --version📡 Detection & Monitoring
Log Indicators:
- Unusual npm install patterns with case-variant package names
- File write operations to unexpected locations during npm install
Network Indicators:
- npm install requests for suspicious packages with file:// dependencies
SIEM Query:
process.name='npm' AND (command_line CONTAINS 'install' OR command_line CONTAINS 'i') AND (file.path CONTAINS 'file:' OR file.path CONTAINS unusual patterns)🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
- https://www.npmjs.com/package/%40npmcli/arborist
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
- https://www.npmjs.com/package/%40npmcli/arborist
- https://www.oracle.com/security-alerts/cpuoct2021.html
