Skip links

GitHub fixes authorisation vulnerability in the NPM JavaScript package registry

GitHub said it has fixed a longstanding issue with the NPM (Node Package Manager) JavaScript registry that would allow an attacker to update any package without proper authorisation.

Chief security officer Mike Hanley posted yesterday about the issue, which was reported by security researchers Kajetan Grzybowski and Maciej Piechota on 2 November and patched within six hours. That impressive speed contrasts with the length of time the vulnerability existed, said to be longer than “the timeframe for which we have available telemetry, which goes back to September 2020.”

The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user’s permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but “the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”

NPM is an essential resource for millions of developers; for example, one of the most popular packages is lodash, a JavaScript utility library that is downloaded around seven million times a day. The consequences of a malicious version of such a package would be severe, which is why Hanley added that “we can say with high confidence that this vulnerability has not been exploited maliciously” at least since September 2020.

Hanley also revealed that the names of some privately published packages, which should not be listed on the public registry, were inadvertently exposed via a public NPM replica, for about a week. The content of the packages were not accessible, though, and this was fixed on 29 October.

GitHub is planning to tighten the security of the NPM registry by requiring two-factor authentication (2FA) for maintainers and admins of the most popular packages, starting in the first quarter of 2022. 2FA is already possible but not required. The 2FA technology used will be WebAuthn. Details of how this will work will be published “in the coming weeks,” Hanley said.

The goal is to prevent account takeovers, such as last month’s incident involving ua-parser-js. At the time GitHub warned: “Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.”

The NPM community has also discussed strengthening security via code signing. It is already possible to verify the PGP (Pretty Good Privacy) signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation. ®