CVE-2021-39134

Name of the Vulnerable Software and Affected Versions @npmcli/arborist versions prior to 2.8.2 npm versions prior to 7.20.7

Description The issue arises from how @npmcli/arborist handles package dependencies on case-insensitive file systems, such as macOS and Windows. When multiple dependencies differ only in the case of their name, Arborist's internal data structure treats them as separate items. However, on case-insensitive file systems, this can lead to a situation where an attacker can create arbitrary contents to be written to any location on the filesystem. For example, a package could define a dependency like "foo": "file:/some/path" and another package could define a dependency like FOO: "file:foo.tgz". On case-insensitive file systems, if the first package is installed and then the second package is installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed.

Recommendations For @npmcli/arborist versions prior to 2.8.2, update to version 2.8.2 or later to resolve the issue. For npm versions prior to 7.20.7, update to version 7.20.7 or later, which includes the patched @npmcli/arborist version 2.8.2. As a temporary workaround, consider avoiding the use of case-insensitive file systems or restricting the installation of packages that may exploit this issue until a patch is applied.