CVE-2021-43616
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-43616
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43616.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-43616
- Related
- Withdrawn
- 2022-10-17T00:00:00Z
- Published
- 2021-11-13T18:15:07Z
- Modified
- 2024-09-18T03:19:27.187658Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
- References
-
- https://docs.npmjs.com/cli/v7/commands/npm-ci
- https://security.netapp.com/advisory/ntap-20211210-0002/
- https://github.com/npm/cli/issues/2701
- https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0
- https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f
- https://github.com/npm/cli/issues/2701#issuecomment-972900511
- https://github.com/npm/cli/issues/2701#issuecomment-979054224
- https://docs.npmjs.com/cli/v8/commands/npm-ci
- https://github.com/icatalina/CVE-2021-43616
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/
- https://security-tracker.debian.org/tracker/CVE-2021-43616
Affected packages
Debian:11 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
7.*
7.5.2+ds-2
7.6.0+ds-1
7.6.3+ds-1
7.24.0+ds-1
7.24.0+ds-2
7.24.2+ds-1
7.24.2+ds-2
8.*
8.1.4+ds-1
8.1.4+ds-2
8.3.0~ds-1
8.3.0~ds-2~bpo11+1
8.3.0~ds-2
8.3.1~ds-1~bpo11+1
8.3.1~ds-1
8.3.2~ds-1
8.4.0~ds-1
8.4.1~ds-1
8.5.0~ds-1
8.5.1~ds-1
8.5.2~ds-1
8.5.3~ds-1
8.5.3~ds1-1
8.5.4~ds1-1
8.5.5~ds1-1~bpo11+1
8.5.5~ds1-1
8.6.0~ds1-1
8.6.0~ds1-2
8.6.0~ds1-3
8.6.0~ds2-1
8.6.0~ds2-2
8.7.0~ds1-1
8.7.0~ds1-2
8.8.0~ds1-1
8.9.0~ds1-1
8.10.0~ds1-1
8.10.0~ds1-2
8.11.0~ds1-1
8.12.1~ds1-1
8.12.2~ds1-1
8.13.1~ds1-1
8.13.2~ds1-1
8.14.0~ds1-1
8.15.0~ds1-1
8.15.0~ds1-2
8.15.1~ds1-1
8.16.0~ds1-1
8.17.0~ds1-1
8.18.0~ds1-1
8.19.2~ds1-1
8.19.2~ds1-2
9.*
9.1.1~ds1-1
9.1.2~ds1-1
9.1.2~ds1-2
9.1.2~ds1-3
9.1.3~ds1-1
9.2.0~ds1-1
9.2.0~ds1-2
9.2.0~ds1-3
Debian:12 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Debian:13 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Git / github.com/nodejs/node
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
-
IntroducedLast affected
- Type
- GIT
- Repo
- https://github.com/npm/cli
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.27
1.*
1.0.0rc3
1.0.7
1.1.0-1
1.1.0-alpha-1
1.1.0-alpha-2
1.1.22
@npmcli/arborist@4.*
@npmcli/arborist@4.2.1
@npmcli/arborist@4.3.0
libnpmaccess@5.*
libnpmaccess@5.0.1
libnpmexec@3.*
libnpmexec@3.0.3
libnpmhook@7.*
libnpmhook@7.0.1
libnpmorg@3.*
libnpmorg@3.0.1
libnpmpublish@5.*
libnpmpublish@5.0.1
libnpmsearch@4.*
libnpmsearch@4.0.1
libnpmteam@3.*
libnpmteam@3.0.1
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.0.7
v0.1.0
v0.1.1
v0.1.10
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.2
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.27-1
v0.1.27-12
v0.1.27-2
v0.1.27-3
v0.1.27-4
v0.1.27-5
v0.1.27-6
v0.1.27-7
v0.1.27-8
v0.1.27-9
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v0.2.1
v0.2.10
v0.2.10-1
v0.2.11
v0.2.11-1
v0.2.11-2
v0.2.11-3
v0.2.11-4
v0.2.11-5
v0.2.12
v0.2.12-1
v0.2.13
v0.2.13-1
v0.2.13-2
v0.2.13-3
v0.2.14
v0.2.14-1
v0.2.14-2
v0.2.14-3
v0.2.14-4
v0.2.14-5
v0.2.14-6
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.2
v0.2.3
v0.2.3-3
v0.2.3-4
v0.2.3-5
v0.2.3-6
v0.2.4
v0.2.4-1
v0.2.5
v0.2.5-1
v0.2.7-2
v0.2.7-3
v0.2.8
v0.2.9
v0.3.0
v0.3.0-1
v0.3.0-10
v0.3.0-2
v0.3.0-3
v0.3.0-4
v0.3.0-5
v0.3.0-6
v0.3.0-7
v0.3.0-8
v0.3.0-9
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v1.*
v1.0.0-1-rc
v1.0.0-2-rc
v1.0.0rc4
v1.0.0rc5
v1.0.0rc6
v1.0.0rc7
v1.0.0rc8
v1.0.0rc9
v1.0.1
v1.0.10
v1.0.100
v1.0.101
v1.0.102
v1.0.103
v1.0.104
v1.0.105
v1.0.106
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.1rc0
v1.0.1rc1
v1.0.1rc3
v1.0.1rc4
v1.0.1rc5
v1.0.1rc6
v1.0.1rc7
v1.0.1rc8
v1.0.1rc9
v1.0.1rcFINAL
v1.0.2
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v1.0.9-1
v1.0.90
v1.0.91
v1.0.92
v1.0.93
v1.0.94
v1.0.95
v1.0.96
v1.0.97
v1.0.98
v1.0.99
v1.1.0
v1.1.0-1
v1.1.0-2
v1.1.0-3
v1.1.0-alpha-3
v1.1.0-alpha-4
v1.1.0-alpha-5
v1.1.0-alpha-6
v1.1.0-beta-0
v1.1.0-beta-1
v1.1.0-beta-10
v1.1.0-beta-2
v1.1.0-beta-3
v1.1.0-beta-4
v1.1.0-beta-5
v1.1.0-beta-6
v1.1.0-beta-7
v1.1.0-beta-8
v1.1.0-beta-9
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.28
v1.1.29
v1.1.3
v1.1.30
v1.1.31
v1.1.32
v1.1.33
v1.1.34
v1.1.35
v1.1.36
v1.1.37
v1.1.38
v1.1.39
v1.1.4
v1.1.40
v1.1.41
v1.1.42
v1.1.43
v1.1.44
v1.1.45
v1.1.46
v1.1.48
v1.1.49
v1.1.5
v1.1.50
v1.1.51
v1.1.52
v1.1.53
v1.1.54
v1.1.55
v1.1.56
v1.1.57
v1.1.58
v1.1.59
v1.1.6
v1.1.60
v1.1.61
v1.1.62
v1.1.63
v1.1.64
v1.1.65
v1.1.66
v1.1.67
v1.1.68
v1.1.69
v1.1.7
v1.1.70
v1.1.71
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.2
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.28
v1.2.29
v1.2.3
v1.2.30
v1.2.31
v1.2.32
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.2
v1.4.20
v1.4.21
v1.4.22
v1.4.23
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0-alpha-0
v1.5.0-alpha-1
v1.5.0-alpha-2
v1.5.0-alpha-3
v1.5.0-alpha-4
v2.*
v2.0.0
v2.0.0-alpha-5
v2.0.0-alpha.6.0
v2.0.0-alpha.7
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.18
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.12.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.10.6
v3.10.7
v3.10.8
v3.10.9
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.8.7
v3.8.8
v3.8.9
v3.9.0
v3.9.1
v3.9.2
v3.9.3
v3.9.4
v3.9.5
v3.9.6
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.5.0
v4.6.0
v4.6.1
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.6.0
v5.7.0
v5.7.1
v5.8.0
v5.8.0-next.0
v6.*
v6.0.0
v6.0.0-next.0
v6.0.0-next.1
v6.0.0-next.2
v6.0.1
v6.0.1-next.0
v6.1.0
v6.1.0-next.0
v6.10.0
v6.10.0-next.0
v6.10.1
v6.10.1-next.0
v6.10.1-next.1
v6.10.1-next.2
v6.10.2
v6.10.2-next.0
v6.10.2-next.1
v6.10.2-next.2
v6.10.2-next.3
v6.10.3
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.12.0
v6.12.0-next.0
v6.12.1
v6.13.0
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.14.0
v6.14.1
v6.14.3
v6.14.4
v6.14.5
v6.14.7
v6.14.8
v6.2.0
v6.2.0-next.0
v6.2.0-next.1
v6.3.0
v6.3.0-next.0
v6.4.0
v6.4.0-next.0
v6.4.1
v6.4.1-next.0
v6.5.0
v6.6.0
v6.6.0-next.0
v6.6.0-next.1
v6.7.0
v6.9.0
v6.9.0-next.0
v6.9.1
v6.9.1-next.0
v6.9.2
v7.*
v7.0.0
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.0-beta.10
v7.0.0-beta.11
v7.0.0-beta.12
v7.0.0-beta.13
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.4
v7.0.0-beta.5
v7.0.0-beta.6
v7.0.0-beta.7
v7.0.0-beta.8
v7.0.0-beta.9
v7.0.0-rc.0
v7.0.0-rc.1
v7.0.0-rc.2
v7.0.0-rc.3
v7.0.0-rc.4
v7.0.1
v7.0.10
v7.0.11
v7.0.12
v7.0.13
v7.0.14
v7.0.15
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.2
v7.10.0
v7.11.1
v7.11.2
v7.12.0
v7.12.1
v7.13.0
v7.14.0
v7.15.0
v7.15.1
v7.16.0
v7.17.0
v7.18.0
v7.18.1
v7.19.0
v7.19.1
v7.2.0
v7.20.0
v7.20.1
v7.20.2
v7.20.3
v7.20.4
v7.20.5
v7.20.6
v7.21.0
v7.21.1
v7.22.0
v7.23.0
v7.24.0
v7.24.1
v7.24.2
v7.3.0
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.3
v7.5.4
v7.5.5
v7.5.6
v7.6.0
v7.6.1
v7.6.2
v7.6.3
v7.7.0
v7.7.1
v7.7.2
v7.7.3
v7.7.4
v7.7.5
v7.7.6
v7.8.0
v7.9.0
v8.*
v8.0.0
v8.1.0
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.2.0
v8.3.0
v8.3.1
v8.3.2
v8.4.0