Affected script: "install-scripts:install"
The script downloads a compiled binary from the internet based on the version information provided and extracts it to a local directory. The vulnerability lies in the fact that it blindly trusts the downloaded binary without any form of verification (like checking a checksum or a digital signature) to ensure its integrity. If an attacker were to compromise the download source or perform a man-in-the-middle attack, they could provide a malicious binary. That would result in arbitrary code execution on the local machine with the privileges of the user running this script.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |