Listen to this Post
How the CVE Works
The vulnerability in lockfile-lint-api (before v5.9.2) stems from improper validation of the `resolved` attribute in package URLs. The validation logic checks the package name early but fails to enforce strict path restrictions, allowing attackers to manipulate the package name by appending additional characters or paths. This bypass enables malicious actors to trick the system into installing unintended npm packages instead of the legitimate ones specified in the lockfile. The incorrect order of validation steps permits this exploitation before full URL verification completes.
DailyCVE Form:
Platform: npm
Version: <5.9.2
Vulnerability: Incorrect Behavior Order
Severity: Moderate
Date: May 16, 2025
What Undercode Say:
Exploitation:
- Malicious Package Injection: Craft a manipulated `package-lock.json` with a tampered `resolved` URL.
"resolved": "https://registry.npmjs.org/legit-pkg/-/malicious-pkg-1.0.0.tgz"
- Bypass Validation: Exploit lax checks by extending the package name:
[email protected]/../malicious-pkg
Protection:
1. Update: Upgrade to lockfile-lint-api ≥5.9.2.
npm install lockfile-lint-api@latest
2. Strict Validation: Enforce full URL parsing before name checks.
const validateResolved = (url) => {
const parsed = new URL(url);
if (!parsed.pathname.endsWith('legit-pkg.tgz')) throw new Error('Invalid package');
};
3. CI/CD Checks: Integrate lockfile-lint-api in pipelines:
- name: Audit lockfile run: npx lockfile-lint --path package-lock.json --validate-https
Analytics:
- Impact: Supply chain attacks via dependency confusion.
- Detection: Monitor for unusual package resolutions in logs.
- Mitigation: Restrict registry sources to trusted URLs.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
