cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] `npm audit` not working properly with pre-releases / JFrog article "Invisible npm malware"

Open Marcono1234 opened this issue 3 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

As described in the JFrog post "Invisible npm malware – evading security checks with crafted versions", npm audit is unable to detect vulnerabilities in pre-release versions.

Their post says:

Following a disclosure from JFrog, we learned from the NPM maintainers that this functionality is the expected behavior, therefore we do not expect this behavior to change.

Could you please explain why you consider this expected behavior (even if the answer is that this is a technical limitation)? Even though you should normally avoid depending on pre-releases, in some cases it might be necessary (e.g. to get an important bug fix), and it would certainly be useful to also be notified about vulnerabilities if there are any.

Expected Behavior

npm audit should detect vulnerabilities in pre-release versions of dependencies.

Steps To Reproduce

  1. Create a package.json with the following content 
    {
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "cruddl": "2.0.0-update.2"
  }
}
  2. Run npm install, then npm audit :x: Bug: No vulnerability is detected
  3. Change the dependency version to 1.7.6 or 2.0.0 and repeat step 2 ✔️ As expected: The vulnerability is detected

Environment

  • npm: 9.2.0
  • Node.js: v16.14.2
  • OS Name: Windows 10
  • System Model Name:
  • npm config:
; "builtin" config from #redacted#\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "#redacted#\\AppData\\Roaming\\npm"

; "cli" config from command line options

location = "project"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v16.14.2
; npm local prefix = #redacted#\Downloads\npm-test
; npm version = 9.2.0
; cwd = #redacted#\Downloads\npm-test
; HOME = #redacted#
; Run `npm config ls -l` to show all defaults.

Marcono1234 avatar Dec 10 '22 22:12 Marcono1234

I encountered a similar issue with a specific version of crypto-js that has a version number which doesn't follow strict semantic versioning nomenclature. Is there an expectation that this will be resolved in an upcoming NPM release? The below reproduction is on npm 10.2.4.

Expected Behavior

npm audit should detect vulnerabilities in pre-release versions of dependencies.

Steps To Reproduce

  1. Create a package.json with the following content
{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "crypto-js": "3.1.9-1"
  }
}
  1. Run npm install, then npm audit ❌ Bug: No vulnerability is detected
  2. Change the dependency version to 3.1.8 or 3.2.0 and repeat step 2 ✔️ As expected: The vulnerability is detected

Environment

  • npm: 10.2.4
  • Node.js: v18.17.1
  • OS Name: Ubuntu 20.04
  • npm config
; node bin location = /usr/bin/node
; node version = v18.17.1
; npm local prefix = /home/#redacted#/dev/temp/test
; npm version = 10.2.4
; cwd = /home/#redacted#/dev/temp/test
; HOME = /home/#redacted#
; Run `npm config ls -l` to show all defaults.

tim-holgate-st avatar Nov 28 '23 19:11 tim-holgate-st

This is affecting us wrt multer.

npm audit reports nothing for [email protected] but Dependabot Security flags the dependency.

Note that the GitHub Security Advisory explicitly flags multer versions >=1.4.4-lts.1:

  • https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg
  • https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h

Probing [email protected] returns two findings:

curl https://registry.npmjs.org/-/npm/v1/security/advisories/bulk \
  -H 'content-type: application/json' \
  --data '{"multer":["1.4.4-lts.1"]}'

{"multer": [
  {
    "id": 1104780,
    "url": "https://github.com/advisories/GHSA-4pg4-qvpc-4q3h",
    "title": "Multer vulnerable to Denial of Service from maliciously crafted requests",
    "severity": "high",
    "vulnerable_versions": ">=1.4.4-lts.1 <2.0.0",
    "cwe": ["CWE-248"],
    "cvss":{
      "score": 7.5,
      "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  },
  {
    "id": 1105262,
    "url": "https://github.com/advisories/GHSA-g5hg-p3ph-g8qg",
    "title": "Multer vulnerable to Denial of Service via unhandled exception",
    "severity": "high",
    "vulnerable_versions": ">=1.4.4-lts.1 <2.0.1",
    "cwe": ["CWE-248"],
    "cvss": {
      "score": 0,
      "vectorString": null
    }
  }
]}

But probing for [email protected] returns nothing:

curl https://registry.npmjs.org/-/npm/v1/security/advisories/bulk \
  -H 'content-type: application/json' \
  --data '{"multer":["1.4.5-lts.1"]}'

{}

joebowbeer avatar Jun 10 '25 19:06 joebowbeer