The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. References: https://docs.npmjs.com/cli/v7/commands/npm-ci https://github.com/npm/cli/issues/2701 https://github.com/icatalina/CVE-2021-43616 https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0 https://security.netapp.com/advisory/ntap-20211210-0002/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2050285] Affects: fedora-all [bug 2050284] Created npm tracking bugs for this issue: Affects: epel-7 [bug 2050283]
Upstream issues: https://github.com/npm/cli/issues/2701 https://github.com/npm/cli/issues/3947 Upstream PR: https://github.com/npm/cli/pull/4363 Upstream commit: https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4796 https://access.redhat.com/errata/RHSA-2022:4796
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-43616