Details of flaws were made public this week
GitHub security researchers have released details of two vulnerabilities they discovered in NPM, the Node.js package manager, one of which could allow a malicious actor to publish new versions of any package without proper authorization.
In a blog post published on November 15, GitHub CISO Mike Hanley revealed that the first issue, which was discovered on October 26, allowed users to gain access to all private NPM packages created before October 20.
This exposure was during routine maintenance of one of GitHub’s publicly available NPM services, Hanley explained.
Read more of the latest security news about GitHub
During maintenance on the database that powers the public NPM replica at replicate.npmjs.com, he wrote, records were created that could expose the names of private packages.
“This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed.
“No other information, including the content of these private packages, was accessible at any time,” revealed Hanley.
Affected package names were in the format of ‘@owner/package’ and were created prior to October 20. They were exposed between October 21 at around 13:00 UTC and October 29 15:00 UTC, the blog post explained.
DON’T MISS GitHub changes policy to welcome security researchers
“On October 29, all records containing private package names were removed from the replication database,” said Hanley, who noted that the data had also been “consumed by third-parties who may have replicated the data elsewhere”.
To mitigate this issue from recurring during maintenance, Hanley said that GitHub has made changes “to ensure records containing private package names are not generated during this process”.
Inconsistent authorization checks
The second and most pressing issue was a vulnerability that would allow an attacker to publish new versions of any NPM package using an account without proper authorization.It was reported to GitHub’s bug bounty program on November 2 and was patched within six hours, said Hanley.
The vulnerability was present due to inconsistent authorization checks and validation of data across several microservices that handle requests to the NPM registry.
Hanley explained: “In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths.
“However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”
GitHub has found no evidence of in-the-wild exploitation – although Hanley admitted that the vulnerability predates the keeping of records, dating back to September 2020, that can provide such evidence.
The issue has been fixed by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.
Further improvements
In the blog post, Hanley also said GitHub was “determined to continue to invest in the security of NPM and the broader software security supply chain”.
Part of this commitment includes introducing automated malware detection and stronger authentication requirements for users “within the coming weeks”.
