CVE-2022-29244 - npm pack ignores .gitignore and .npmignore file exclusion directives in workspaces, potentially leading to unintended file publication

A recently discovered vulnerability (CVE-2022-29244) affects Node.js workspaces when running npm pack or npm publish commands. This vulnerability causes the npm pack to ignore the root-level .gitignore and .npmignore directives in workspaces, potentially resulting in unintended file publication to the npm registry.

Users that have run npm pack or npm publish in a workspace as of npm v7.9. and v7.13., respectively, may be affected. If you're using a Node.js version that includes a vulnerable npm version, you're at risk of unknowingly publishing sensitive files to the npm registry. This article outlines the technical details of this vulnerability, its consequences, and the required mitigation steps.

Exploit Details

This vulnerability occurs because the npm pack skips over the .gitignore and .npmignore files present at the workspace's root level when packing or publishing. As a result, the intended file exclusion directives specified in these files don't apply when running the commands in workspaces.

For instance, consider the following workspace structure

my-workspace/
  .gitignore
  package-1/
    .npmignore
    package.json
  package-2/
    .npmignore
    package.json

If your .gitignore file contains file exclusion directives like this

# .gitignore
node_modules/
*.log

Running npm pack or npm publish in any of the workspace package folders (package-1 or package-2) will ignore the root-level .gitignore. As a result, undesired files (e.g., .log files) inside these package folders could get published to the npm registry inadvertently.

Affected Versions

Users running npm versions v7.9. and v7.13. or higher for npm pack and npm publish, respectively, may be affected. Also, Node.js users with the following versions could be affected as they ship with vulnerable npm versions:

Mitigation

To address this vulnerability, users should upgrade to npm version v8.11. or later by running the following command:

npm i -g npm@latest

Additionally, it's important to review your workspaces' published packages for any unintended files in the npm registry. If necessary, republish the packages with the correct file exclusions using an updated version of npm.

Node.js users should also upgrade to a patched version, which includes updates to the underlying npm client as configured below:

For more information about the vulnerability, refer to the official CVE-2022-29244 entry

- CVE-2022-29244

And check out the npm release notes discussing the vulnerability and resolution

- npm v8.11. Release Notes

Conclusion

The CVE-2022-29244 vulnerability could lead to potential information exposure and unintended file publication when using npm pack or npm publish in workspaces. Affected users should take immediate action to remedy the vulnerability and ensure sensitive information isn't inadvertently shared through the npm registry. Stay vigilant and up-to-date to keep your code and user data safe.

Timeline

Published on: 06/13/2022 14:15:00 UTC
Last modified on: 07/22/2022 19:15:00 UTC