CVE-2022-0512 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

CVE-2022-0512 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

On March 7, 2017, this issue was addressed in NPM 1.5.7 and later versions. You can now type double quotes into a user script and it will be interpreted as a literal value rather than as a keyword. The double quotes are an indication to the Node.js interpreter that what follows is a string and not a keyword. The double quotes are not a security measure and cannot be used to bypass authorization; they are a convenience that makes it easier to insert strings into a script.

If you use the double quote string "{{foo}}" to inject a literal value into a NPM user script, it will be interpreted as a keyword.

NPM Authorization using Authorization Servers

NPM user scripts can be authorized by using the Authorization Servers. The Authorization Servers are specific to your organization and are not accessible to others.
The Authorization Server is a module that can be included in any NPM package that you would like authorized users to use. You must provide a set of credentials, which will be stored on the local machine (e.g., ~/.npmrc) and used by any scripts requiring authentication.

Confirming that your package has been updated and that the fix was applied

If you have installed a package from an NPM user script, use "npm -v" to check if it has been updated. You can also check the package's CHANGELOG to see if a fix was applied.

How to detect this vulnerability in NPM user scripts?

To detect this vulnerability in NPM user scripts, simply use the following code:
if (process.argv.indexOf('--'+user) > 0){
The double quotes are an indication to the Node.js interpreter that what follows is a string and not a keyword. The double quotes are not a security measure and cannot be used to bypass authorization; they are a convenience that makes it easier to insert strings into a script.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe