GHSA-7cgc-fjv4-52x6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7cgc-fjv4-52x6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-7cgc-fjv4-52x6/GHSA-7cgc-fjv4-52x6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7cgc-fjv4-52x6
- Published
- 2023-05-24T16:43:58Z
- Modified
- 2023-05-24T16:43:58Z
- Summary
- Malware in pre-build binaries of bignum
- Details
-
Impact
bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer.
Patches
v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2023-05-24T16:43:58Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-506" ] }- References
Affected packages
npm / bignum
Package
- Name
- bignum
- View open source insights on deps.dev
- Purl
- pkg:npm/bignum