Affected script: "install-scripts:install"
The downloaded package is being directly extracted and run without any checksum or signature verification, which can lead to remote code execution if the download source is compromised or spoofed (via a Man-in-the-Middle attack, for example). The fetch
call to download the binary package does not ensure the authenticity or integrity of the package, which can be dangerous if an attacker intercepts the HTTP request or if the package has been replaced with a malicious one on the server. Additionally, since the code is using execSync
to run shell commands, if there are any flaws in the handling of user input or the URLs, it could lead to command injection vulnerabilities.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |