Vulnerability Description
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Npmjs | Npm | >= 7.0.0, <= 7.24.2 |
| Netapp | Next Generation Application Programming Interface | - |
| Fedoraproject | Fedora | 35 |
Related Weaknesses (CWE)
References
- https://docs.npmjs.com/cli/v7/commands/npm-ciProductVendor Advisory
- https://docs.npmjs.com/cli/v8/commands/npm-ci
- https://github.com/icatalina/CVE-2021-43616Third Party Advisory
- https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490fPatchThird Party Advisory
- https://github.com/npm/cli/issues/2701ExploitIssue TrackingThird Party Advisory
- https://github.com/npm/cli/issues/2701#issuecomment-972900511
- https://github.com/npm/cli/issues/2701#issuecomment-979054224
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0ExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20211210-0002/Third Party Advisory
- https://docs.npmjs.com/cli/v7/commands/npm-ciProductVendor Advisory
- https://docs.npmjs.com/cli/v8/commands/npm-ci
- https://github.com/icatalina/CVE-2021-43616Third Party Advisory
- https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490fPatchThird Party Advisory
- https://github.com/npm/cli/issues/2701ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2021-43616?
CVE-2021-43616 is a vulnerability with a CVSS score of 9.0 (CRITICAL). The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the ...
How severe is CVE-2021-43616?
CVE-2021-43616 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-43616?
Check the references section above for vendor advisories and patch information. Affected products include: Npmjs Npm, Netapp Next Generation Application Programming Interface, Fedoraproject Fedora.