Bleeping Computer -
GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI.
The tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.
The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages.
Bug bounty hunters awarded $14,500 for ZIP slips
Between July and August this year, security researchers and bug bounty hunters Robert Chen and Philip Papurt identified arbitrary code execution vulnerabilities in the open-source Node.js packages, tar and @npmcli/arborist.
On discovery of these vulnerabilities, the researchers privately notified npm via one of GitHub’s bug bounty programs.
On further review of the researchers’ reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.
Node.js package tar remains a core dependency for installers that need to unpack npm packages post-installation. The package is also used by thousands of
The post GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI first appeared first on Bleeping Computer.