"When a Node.js application calls require('bar'), the runtime searches for the module in the following order: C:\Users\Administrator\projects\node_modules\bar.js, C:\Users\Administrator\node_modules\bar.js, C:\Users\node_modules\bar.js, C:\node_modules\bar.js. If the legitimate package is missing, the resolution search will eventually reach the root of the drive."
"Any user can create C:\node_modules and place a malicious package there. Once the low-privileged user has populated C:\node_modules\bar.js, Node.js will load and execute it in the context of the current user."
"Despite properly following NPM's guidelines, third-party dependencies end up triggering this vulnerability anytime you launch the application. The recommended pattern for checking for optional dependencies is crucial to mitigate these risks."
Node.js searches for modules in a specific order, reaching the root directory if not found. This allows users to place malicious packages in C:\node_modules, which can be executed in the context of the current user. The article presents case studies demonstrating how third-party dependencies can trigger this vulnerability, even when following NPM's guidelines. The optional dependency pattern in npm can contribute to this issue if not handled correctly, leading to potential security risks in applications.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]