GHSA-mmph-wp49-r48h

Source

https://github.com/advisories/GHSA-mmph-wp49-r48h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mmph-wp49-r48h/GHSA-mmph-wp49-r48h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmph-wp49-r48h

Published

2020-09-02T20:20:26Z

Modified

2021-10-01T14:02:46Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in experss

Details

All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise.

Recommendation

Remove the package from your dependencies and always ensure package names are typed correctly upon installation.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:38:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-506"
    ]
}

References

https://www.npmjs.com/advisories/852

Affected packages

npm / experss

Package

Name: experss; View open source insights on deps.dev
Purl: pkg:npm/experss

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mmph-wp49-r48h/GHSA-mmph-wp49-r48h.json"