CVE-2021-43616 PoC — npm CLI 数据伪造问题漏洞

Source

https://github.com/icatalina/CVE-2021-43616

Associated Vulnerability

Title:npm CLI 数据伪造问题漏洞 (CVE-2021-43616)
Description:npm CLI是美国npm公司的一款软件包管理器。 npm CLI 存在数据伪造问题漏洞，该漏洞源于软件中的npm ci命令，即使package-lock.json中的依赖信息与package.json不同，命令仍会继续安装，行为与文档不一致，攻击者容易安装原本被精确匹配阻止的恶意软件。

Description

Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701

Readme

Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701

Remove the `node_modules` folder and run `npx npm@8 ci`, you can see how
npm will install version 2.2.x (2.2.16 at the time of this commit) even though
package-lock.json requires 2.0.0

```
cat node_modules/shortid/package.json
```

I've commited the `node_modules` from the original install so the issue is obvious
after running `npm ci`

File Snapshot


 [4.0K]  /data/pocs/12f8fe17f3d71bf9b41a8331c73a000097f3ebc5
├── [4.0K]  node_modules
│   └── [4.0K]  shortid
│       ├── [4.0K]  examples
│       │   └── [ 121]  examples.js
│       ├── [4.0K]  lib
│       │   ├── [2.0K]  alphabet.js
│       │   ├── [ 389]  encode.js
│       │   └── [ 417]  random.js
│       ├── [1.6K]  LICENSE
│       ├── [ 916]  package.json
│       ├── [4.1K]  README.md
│       ├── [2.7K]  shortid.js
│       └── [4.0K]  test
│           ├── [2.4K]  alphabet.test.js
│           ├── [ 723]  random.test.js
│           └── [1.1K]  shortid.test.js
├── [  52]  package.json
├── [ 622]  package-lock.json
└── [ 415]  README.md

5 directories, 14 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!