Affected script: "install-scripts:install"
The install.js
script downloads and installs a binary from a hardcoded URL, which may not be inherently dangerous, but it does not verify the integrity of the downloaded file, leaving an opening for a Man-In-The-Middle (MITM) attack where the URL could be hijacked or the file at the source could be replaced with a malicious version. Additionally, the use of execSync()
to run shell commands with the content of variables (such as execSync('rm -rf ${binDir}/*')
and execSync('tar xzf "${pkgPath}" -C "${rootDir}"')
) could potentially be exploited if an attacker controls the input, leading to arbitrary code execution. There is no validation that the downloaded file is actually the file intended or that it has not been tampered with, which presents a risk of running malicious code.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |