Cybersecurity researchers at GitHub have uncovered arbitrary code execution vulnerabilities in the open-source Node.js packages, "tar" and "@npmcli/arborist,". The tar package has accounted for 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week. The vulnerabilities in Node.js packages impact both Windows and Unix-based users, and if left unpatched, can be abused by threat actors to gain arbitrary code execution on a system installing unauthenticated npm packages.Bug bounty hunters received $14,500 for ZIP slipsDuring the past two months –July and August – security researchers and bug bounty hunters Robert Chen and Philip Papurt discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.Upon the discovery of these vulnerabilities, the security researchers privately reported npm via one of GitHub's bug bounty programs. Further review of their reports led the GitHub security team to discover some more high-severity vulnerabilities in these cross-platform packages. As a sign of gratitude, both Chen and Papurt received a total of $14,500 incentive from the GitHub security team for their efforts to keep GitHub secure.Node.js package tar continues to be a core dependency for installers that require unpacked npm packages post-installation. While the arborist package is a core dependency relying on npm CLI and manages node_modules trees. These ZIP slip vulnerabilities can be a serious concern for developers installing untrusted npm packages using the npm CLI, or using "tar" to extract untrusted packages. By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools. Ideally, the tools used to extr ..
Support the originator by clicking the read the rest link below.