The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the nodejs-16.16.0-1.el9 build changelog.

  - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through     log files. The CLI supports URLs like     <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted     and is printed to stdout and also to any generated log files. (CVE-2020-15095)

  - Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application     crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns     library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection     vulnerabilities in applications using the library. (CVE-2021-22931)

  - If the Node.js https API was used incorrectly and undefined was in passed for the rejectUnauthorized     parameter, no error was returned and connections to servers with an expired certificate would have been     accepted. (CVE-2021-22939)

  - Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker     might be able to exploit the memory corruption, to change process behavior. (CVE-2021-22940)

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a     denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of     service. This issue only affects consumers using the strict option. (CVE-2021-27290)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency     information in package-lock.json differs from package.json. This behavior is inconsistent with the     documentation, and makes it easier for attackers to install malware that was supposed to have been blocked     by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a     vulnerability. It would require someone to socially engineer package.json which has different dependencies     than package-lock.json. That user would have to have file system or write access to change dependencies.
    The npm team states preventing malicious actors from socially engineering or gaining file system access is     outside the scope of the npm CLI. (CVE-2021-43616)

  - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a     particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3,     < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js     with the fix for this disable the URI SAN type when checking a certificate against a hostname. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a     string format. It uses this string to check peer certificates against hostnames when validating     connections. The string format was subject to an injection vulnerability when name constraints were used     within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix     for this escape SANs containing the problematic characters in order to prevent the injection. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished     Names correctly. Attackers could craft certificate subjects containing a single-value Relative     Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in     order to inject a Common Name that would allow bypassing the certificate subject verification.Affected     versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not     vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation     of certificate subjects may be vulnerable. (CVE-2021-44533)

  - Due to the formatting logic of the console.table() function it was not safe to allow user controlled     input to be passed to the properties parameter while simultaneously passing a plain object with at least     one property as the first parameter, which could be __proto__. The prototype pollution has very limited     control, in that it only allows an empty string to be assigned to numerical keys of the object     prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object     these properties are being assigned to. (CVE-2022-21824)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:4796 advisory.

  - ** DISPUTED ** The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if     dependency information in package-lock.json differs from package.json. This behavior is inconsistent with     the documentation, and makes it easier for attackers to install malware that was supposed to have been     blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is     not a vulnerability. It would require someone to socially engineer package.json which has different     dependencies than package-lock.json. That user would have to have file system or write access to change     dependencies. The npm team states preventing malicious actors from socially engineering or gaining file     system access is outside the scope of the npm CLI. (CVE-2021-43616)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-084 advisory.

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - ** DISPUTED ** The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if     dependency information in package-lock.json differs from package.json. This behavior is inconsistent with     the documentation, and makes it easier for attackers to install malware that was supposed to have been     blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is     not a vulnerability. It would require someone to socially engineer package.json which has different     dependencies than package-lock.json. That user would have to have file system or write access to change     dependencies. The npm team states preventing malicious actors from socially engineering or gaining file     system access is outside the scope of the npm CLI. (CVE-2021-43616)

  - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a     particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3,     < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js     with the fix for this disable the URI SAN type when checking a certificate against a hostname. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a     string format. It uses this string to check peer certificates against hostnames when validating     connections. The string format was subject to an injection vulnerability when name constraints were used     within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix     for this escape SANs containing the problematic characters in order to prevent the injection. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished     Names correctly. Attackers could craft certificate subjects containing a single-value Relative     Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in     order to inject a Common Name that would allow bypassing the certificate subject verification.Affected     versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not     vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation     of certificate subjects may be vulnerable. (CVE-2021-44533)

  - Due to the formatting logic of the console.table() function it was not safe to allow user controlled     input to be passed to the properties parameter while simultaneously passing a plain object with at least     one property as the first parameter, which could be __proto__. The prototype pollution has very limited     control, in that it only allows an empty string to be assigned to numerical keys of the object     prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object     these properties are being assigned to. (CVE-2022-21824)

  - A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an     insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check     if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse     and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use     the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32214)

  - The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly     handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
    (CVE-2022-32215)

  - A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which     allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin     user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3. (CVE-2022-32222)

  - Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows     platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows     machine:* OpenSSL has been installed and C:\Program Files\Common Files\SSL\openssl.cnf exists.Whenever     the above conditions are present, `node.exe` will search for `providers.dll` in the current user     directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in     Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of     paths and exploit this vulnerability. (CVE-2022-32223)

  - A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with     EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems     with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can     (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically     strong and therefore not suitable as keying material. (CVE-2022-35255)

  - The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not     terminated with CLRF. This may result in HTTP Request Smuggling. (CVE-2022-35256)

  - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint     checking. Note that this occurs after certificate chain signature verification and requires either a CA to     have signed the malicious certificate or for the application to continue certificate verification despite     failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to     overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash     (causing a denial of service) or potentially remote code execution. Many platforms implement stack     overflow protections which would mitigate against the risk of remote code execution. The risk may be     further mitigated based on stack layout for any given platform/compiler. Pre-announcements of     CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors     described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new     version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server.
    In a TLS server, this can be triggered if the server requests client authentication and a malicious client     connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6). (CVE-2022-3602)

  - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint     checking. Note that this occurs after certificate chain signature verification and requires either a CA to     have signed a malicious certificate or for an application to continue certificate verification despite     failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a     certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the     stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this     can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server     requests client authentication and a malicious client connects. (CVE-2022-3786)

  - A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due     to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly     check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this     issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is     to complete the fix. (CVE-2022-43548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of nodejs installed on the remote host is prior to 18.4.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-214 advisory.

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can     lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of     chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - ** DISPUTED ** The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if     dependency information in package-lock.json differs from package.json. This behavior is inconsistent with     the documentation, and makes it easier for attackers to install malware that was supposed to have been     blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is     not a vulnerability. It would require someone to socially engineer package.json which has different     dependencies than package-lock.json. That user would have to have file system or write access to change     dependencies. The npm team states preventing malicious actors from socially engineering or gaining file     system access is outside the scope of the npm CLI. (CVE-2021-43616)

  - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a     particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3,     < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js     with the fix for this disable the URI SAN type when checking a certificate against a hostname. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a     string format. It uses this string to check peer certificates against hostnames when validating     connections. The string format was subject to an injection vulnerability when name constraints were used     within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix     for this escape SANs containing the problematic characters in order to prevent the injection. This     behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished     Names correctly. Attackers could craft certificate subjects containing a single-value Relative     Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in     order to inject a Common Name that would allow bypassing the certificate subject verification.Affected     versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not     vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation     of certificate subjects may be vulnerable. (CVE-2021-44533)

  - Due to the formatting logic of the console.table() function it was not safe to allow user controlled     input to be passed to the properties parameter while simultaneously passing a plain object with at least     one property as the first parameter, which could be __proto__. The prototype pollution has very limited     control, in that it only allows an empty string to be assigned to numerical keys of the object     prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object     these properties are being assigned to. (CVE-2022-21824)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-048 advisory.

  - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency     information in package-lock.json differs from package.json. This behavior is inconsistent with the     documentation, and makes it easier for attackers to install malware that was supposed to have been blocked     by an exact version match requirement in package-lock.json. (CVE-2021-43616)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:4796 advisory.

  - The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency     information in package-lock.json differs from package.json. This behavior is inconsistent with the     documentation, and makes it easier for attackers to install malware that was supposed to have been blocked     by an exact version match requirement in package-lock.json. (CVE-2021-43616)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-4796 advisory.

    - Resolves CVE-2021-43616

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4796 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    Security Fix(es):

    * npm: npm ci succeeds when package-lock.json doesn't match package.json (CVE-2021-43616)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2022:4796 advisory.

  - npm: npm ci succeeds when package-lock.json doesn't match package.json (CVE-2021-43616)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191380	CentOS 9 : nodejs-16.16.0-1.el9	Nessus	CentOS Local Security Checks	critical
184875	Rocky Linux 8 : nodejs:16 (RLSA-2022:4796)	Nessus	Rocky Linux Local Security Checks	critical
173113	Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-084)	Nessus	Amazon Linux Local Security Checks	critical
168555	Amazon Linux 2022 : nodejs (ALAS2022-2022-214)	Nessus	Amazon Linux Local Security Checks	critical
164765	Amazon Linux 2022 : (ALAS2022-2022-048)	Nessus	Amazon Linux Local Security Checks	critical
161904	AlmaLinux 8 : nodejs:16 (ALSA-2022:4796)	Nessus	Alma Linux Local Security Checks	critical
161681	Oracle Linux 8 : nodejs:16 (ELSA-2022-4796)	Nessus	Oracle Linux Local Security Checks	critical
161673	RHEL 8 : nodejs:16 (RHSA-2022:4796)	Nessus	Red Hat Local Security Checks	critical
161668	CentOS 8 : nodejs:16 (CESA-2022:4796)	Nessus	CentOS Local Security Checks	critical

Detections

Analytics

CVE-2021-43616

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical