All the vulnerabilities related to the version 1.2.4 of the package
Code injection in fsevents
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.
Malicious code in fsevents (npm)
-= Per source details. Do not edit below this line.=-
This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the fsevents npm package.
fsevents v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.
The fsevents npm package v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.
Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users.
As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.
The affected cloud storage pre-fetch was removed in fsevents version 1.2.11.
The impact of the modified versions of fse.node appears to be limited to information gathering.
Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended.
For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x
If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.
Denial of service while parsing a tar file due to lack of folders count validation
During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside
You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video
Here's a video show-casing the exploit:
Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources
This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago
