Affected script: "install-scripts:install"
The script is designed to download a binary package from the internet based on the version specified in a VERSION file or through some external input, extract it, and execute the binary to check its version. The use of execSync
with template literals can pose a command injection risk if the binPath
or pkgPath
includes untrusted or manipulated input. Additionally, there's no checksum verification for the downloaded package, leaving the system vulnerable to a Man-in-The-Middle (MITM) attack where an attacker could potentially serve a malicious package instead of the intended one. The script automatically executes commands and writes files with the privileges of the current user, which could easily be exploited if any of these steps are compromised.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |