SCA: security update for @npmcli/arborist (GHSA-gmw6-94gg-2rc2)

high Tenable Self-Hosted Container Security Plugin ID 415214

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder
hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be
met, and the extraction of package contents will always be performed into the expected folder. This is
accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules`
folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could
allow Arborist to write package dependencies to any arbitrary location on the file system. Note that
symbolic links contained within package artifact contents are filtered out, so another means of creating a
`node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace
`node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could
supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the
root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making
changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist
2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see
the referenced GHSA-gmw6-94gg-2rc2. (CVE-2021-39135)

See Also

https://github.com/advisories/GHSA-gmw6-94gg-2rc2

Plugin Details

Severity: High

ID: 415214

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/27/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-39135

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/31/2021

Vulnerability Publication Date: 8/31/2021

Reference Information

CVE: CVE-2021-39135