Affected script: "install-scripts:install"
The script has several security vulnerabilities:
It runs execSync
with interpolated input (${binPath} --version
), which could lead to command injection if binPath
is somehow controlled by an attacker or manipulated to include malicious commands.
It fetches and writes a file from a URL constructed from user input without validation (pkgUrl
) and then directly executes a tar
command to extract it, which could lead to a supply chain attack by downloading and executing malicious code if the URL is compromised or spoofed.
There's no checksum validation of the downloaded package, making it susceptible to a man-in-the-middle (MITM) attack where an attacker could replace the binary with a malicious one.
There's a potential directory traversal issue with pkgName
being used to construct filesystem paths without any validation, which can lead to arbitrary file write if pkgPlatform
can be controlled by an attacker.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |