Affected script: "install-scripts:postinstall"
The script is a potential security vulnerability as it downloads and executes a remote shell script using curl and sh commands. Specifically, the part curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
is downloading a script and executing it locally, which can lead to remote code execution (RCE), root access to local resources, or other threats if the remote script contained malicious code.
Even though rustup is often installed in this way, since it isn't verified before execution, it is still considered a security risk to run unverified scripts from the internet. An attacker with the ability to modify the rustup.rs script could execute arbitrary code on systems where this script is run. Some solutions would be to verify the integrity of the downloaded code (checksum or digital signature) or download and use packages from trusted repositories.
wasm-grate
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|