Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2021-43616 PoC — npm CLI 数据伪造问题漏洞

Source
https://github.com/icatalina/CVE-2021-43616
Associated Vulnerability
Title:npm CLI 数据伪造问题漏洞 (CVE-2021-43616)
Description:The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
Description
Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701
Readme
Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701

Remove the `node_modules` folder and run `npx npm@8 ci`, you can see how
npm will install version 2.2.x (2.2.16 at the time of this commit) even though
package-lock.json requires 2.0.0

```
cat node_modules/shortid/package.json
```

I've commited the `node_modules` from the original install so the issue is obvious
after running `npm ci`
File Snapshot

 [4.0K]  /data/pocs/12f8fe17f3d71bf9b41a8331c73a000097f3ebc5
├── [4.0K]  node_modules
│   └── [4.0K]  shortid
│       ├── [4.0K]  examples
│       │   └── [ 121]  examples.js
│       ├── [4.0K]  lib
│       │   ├── [2.0K]  alphabet.js
│       │   ├── [ 389]  encode.js
│       │   └── [ 417]  random.js
│       ├── [1.6K]  LICENSE
│       ├── [ 916]  package.json
│       ├── [4.1K]  README.md
│       ├── [2.7K]  shortid.js
│       └── [4.0K]  test
│           ├── [2.4K]  alphabet.test.js
│           ├── [ 723]  random.test.js
│           └── [1.1K]  shortid.test.js
├── [  52]  package.json
├── [ 622]  package-lock.json
└── [ 415]  README.md

5 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →