Affected script: "install-scripts:install"
The script downloads and extracts a tarball from the internet without any form of checksum verification or signature validation, which can lead to a Man-in-the-Middle attack. An attacker could compromise the server from which the tarball is downloaded or intercept the network traffic to serve a malicious tarball that contains harmful binaries, leading to potential remote code execution when the binary is run. Additionally, the use of execSync with template strings to execute commands with user-supplied input may lead to command injection if the input is not properly sanitized.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |