Affected script: "install-scripts:install"
The script contains a variety of security risks due to both intentional actions and poor security practices. It downloads and executes a binary from an external source without proper validation, allows for command injection via template literals, and uses dangerous shell commands:
The script downloads a binary from a fixed URL constructed using the version information and platform name, which could be manipulated or spoofed to download malicious binaries.
execSync to remove directories based on unsanitized input allows any command to be executed if the variables contain command operators.
Placing user input directly in a file path without sanitization can lead to a directory traversal attack or allow an attacker to overwrite critical system files.
The use of
renameSync can inadvertently move unauthorized or malicious files into sensitive directories.
These practices can lead to arbitrary code execution, file system manipulation, and potentially giving an attacker control over the host system.
@fuel-ts/fuel-core 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.