Affected script: "install-scripts:install"
The script fetches a binary from a fixed URL based on the version from 'forcVersion', and executes it to check its version. This is dangerous for several reasons:
Executing code fetched from the internet can lead to remote code execution if the URL is compromised or if the fetched code is malicious.
There's no checksum or signature verification, meaning the integrity of the downloaded file isn't confirmed, increasing the risk of a supply chain attack.
Arbitrary command execution with execSync
that takes user input or data from the internet could lead to command injection vulnerabilities if inputs aren't properly sanitized.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |