GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI

Bleeping Computer -

GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI.

The tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.

The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages.

Bug bounty hunters awarded $14,500 for ZIP slips

Between July and August this year, security researchers and bug bounty hunters Robert Chen and Philip Papurt identified arbitrary code execution vulnerabilities in the open-source Node.js packages, tar and @npmcli/arborist.

On discovery of these vulnerabilities, the researchers privately notified npm via one of GitHub’s bug bounty programs.

On further review of the researchers’ reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.

Node.js package tar remains a core dependency for installers that need to unpack npm packages post-installation. The package is also used by thousands of

The post GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI first appeared first on Bleeping Computer.

Read More.....