Security News > 2021 > November > GitHub fixes authorisation vulnerability in the NPM JavaScript package registry

GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation.

"The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

"This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package."

NPM is an essential resource for millions of developers; for example, one of the most popular packages is lodash, a JavaScript utility library that is downloaded around seven million times a day.

GitHub is planning to tighten the security of the NPM registry by requiring two-factor authentication for maintainers and admins of the most popular packages, starting in the first quarter of 2022.

It is already possible to verify the PGP signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/11/16/github_npm_flaw/