Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-03-TIMESWAP-FINDINGS-ISSUES-9
HistoryMar 05, 2022 - 12:00 a.m.

NPM Dependency confusion. Unclaimed NPM Package and Scope/Org

2022-03-0500:00:00
Code4rena
github.com
4
npm
dependency confusion
remote code execution
timeswap-labs
mitigation
JSON

Lines of code

Vulnerability details

Impact

I discovered an npm package and the scope of the package is unclaimed on the NPM website. This will give any User to claim that package and be able to Upload a Malicious Code under that unclaimed package. This results in achieving the Remote code execution on developers/users’ machine who depends on the timeswap repository to build it on local env.

##Vulnerable Package Name: @timeswap-labs/timeswap-v1-core

Proof of Concept

  1. Create an Organization called “timeswap-labs”.
  2. Create a package called “@timeswap-labs/timeswap-v1-core” under “timeswap-labs” Organization.
  3. Attacker can able to upload malicious code on unclaimed npm package with a higher version like 99.99.99
  4. Now If any user/timeswap developer installs it by npm install package.json. The malicious pkg will be executed.

Till now “The Package is not claimed on NPM Registry, but it’s vulnerable to dependency confusion”.
You can read more dependency confusion here: <https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/&gt;

Tools Used

Nothing Just OSINT

Recommended Mitigation Steps

Claim the Scope name called “timeswap-labs” By Following the above POC Step 1.

The text was updated successfully, but these errors were encountered:

All reactions

JSON