Affected script: "install-scripts:install"
The code downloads a file from the internet and extracts its content without proper validation of the source or the content. The fetch function downloads a package from a given URL, which appears to be a GitHub releases link for forc-binaries. Then, it uses execSync to extract the package into the binDir directory. Additionally, the same execSync method is used to check the version of an existing binary, which could potentially include malicious code execution if the version output is altered.
This can be exploited if an attacker gains control of the URL from which the package is fetched or the repository it is hosted in, or if they manage to inject a malicious package into the download process. The use of execSync can also lead to remote code execution if unsanitized input is passed to it.
Since the script executes without verifying the integrity of the downloaded file (e.g., by checking a cryptographic signature), it opens up a possibility for a supply chain attack where the binary could be replaced by a malicious one, which would then be executed with the same privileges as the current user.
@fuel-ts/forc 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.| Name | Version | Size | License | Type | Vulnerabilities |
|---|---|---|---|---|---|
| node-fetch | 2.7.0 | 43.6 kB | MIT | prod |
