Affected script: "install-scripts:install"
The script downloads and extracts a tar.gz file from the internet based on a version number found in the environment. It then executes the --version command on the downloaded binary without prior verification of the integrity or authenticity of the binary. This can lead to remote code execution if an attacker can trick the system into downloading a malicious binary, for example, by tampering with the version number or intercepting the download request (a Man-in-the-Middle attack). There is no checksum verification to ensure that the downloaded package is the intended one, which is a common security measure to prevent such attacks.
@fuel-ts/forc 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.