CVE-2022-29244
Information Exposure vulnerability in npm (npm)
What is CVE-2022-29244 About?
This vulnerability is an information exposure flaw in npm where `npm pack` ignores `.gitignore` and `.npmignore` directives in workspace contexts. Its impact is the inclusion of sensitive, uncommitted files in published packages, leading to unintended data exposure. Exploitation is simple, affecting anyone who has published npm packages from workspaces using vulnerable npm versions.
Affected Software
Technical Details
The vulnerability stems from a flaw in how npm pack and npm publish handle exclusion directives in .gitignore and .npmignore files when operating within an npm workspace. Specifically, if these exclusion files are located at the root level of a multi-package repository (a workspace root), npm versions prior to 8.11.0 fail to correctly apply their exclusion rules to packages being packed or published from within the workspace. This means that files intended to be excluded, such as configuration files, development artifacts, or even sensitive credentials, that exist in the workspace and are matched by the root-level ignore files, are erroneously included in the final package. The attack vector is the unintentional publication of these files, leading to sensitive information exposure.
What is the Impact of CVE-2022-29244?
Successful exploitation may allow attackers to gain access to sensitive information or intellectual property that was unintentionally published in publicly accessible packages.
What is the Exploitability of CVE-2022-29244?
Exploitation of this vulnerability is straightforward and does not require active malicious intent from an attacker. It is an inherent flaw in the npm pack and npm publish processes for specific npm versions. There are no authentication or privilege requirements for an attacker, as the vulnerability resides in the publishing mechanism itself. The issue occurs locally when a developer executes npm pack or npm publish with workspace flags on a vulnerable version of npm. The key condition is the presence of root-level .gitignore or .npmignore files in a workspace setup that are meant to exclude certain files. The likelihood of exploitation is high for projects using npm workspaces and vulnerable npm versions, as it happens automatically during the publishing process if not explicitly mitigated. This poses a significant risk for unintended information exposure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29244?
Available Upgrade Options
- npm
- >7.9.0, <8.11.0 → Upgrade to 8.11.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-hj9c-8jmm-8c52
- https://github.com/npm/cli/releases/tag/v8.11.0
- https://github.com/npm/npm-packlist
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
- https://github.com/nodejs/node/pull/43210
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
- https://github.com/npm/cli/releases/tag/v8.11.0
- https://github.com/nodejs/node/releases/tag/v17.9.1
- https://github.com/nodejs/node/releases/tag/v18.3.0
- https://github.com/nodejs/node/releases/tag/v17.9.1
What are Similar Vulnerabilities to CVE-2022-29244?
Similar Vulnerabilities: CVE-2021-23398 , CVE-2017-16017 , CVE-2018-1000636 , CVE-2020-15167 , CVE-2020-28500
