Affected script: "install-scripts:install"
The script downloads and installs binaries from a remote server (GitHub) without verifying the integrity of the downloaded file, such as through checksum verification or signature validation. This means if the server is compromised, or if a man-in-the-middle attack occurs, malicious code could be served and executed on the local machine. Furthermore, the use of
execSync allows for arbitrary command executions, which could be dangerous especially if the input parameters are not properly sanitized. The absence of checks to validate the source or integrity of the downloaded binaries creates a security vulnerability.
@fuel-ts/forc's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.