Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05N20zLXcyY3AtNHh4Ns0zNw

Embedded Malicious Code in node-ipc

The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in version 10.1.3.

Permalink: https://github.com/advisories/GHSA-97m3-w2cp-4xx6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05N20zLXcyY3AtNHh4Ns0zNw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-97m3-w2cp-4xx6, CVE-2022-23812
References:

Repository: https://github.com/RIAEvangelist/node-ipc
Blast Radius: 53.6

Affected Packages

npm:node-ipc

Dependent packages: 433
Dependent repositories: 296,532
Downloads: 1,915,460 last month
Affected Version Ranges: >= 10.1.1, < 10.1.3
Fixed in: 10.1.3
All affected versions:
All unaffected versions: 0.0.1, 0.0.2, 0.9.0, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 1.0.0, 1.0.5, 1.1.0, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.2, 3.0.0, 4.0.0, 4.1.0, 4.1.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.0.2, 6.0.3, 7.0.0, 7.0.2, 7.0.3, 8.0.0, 8.1.0, 8.1.1, 8.8.0, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 11.0.0, 11.1.0