CVE-2021-39135 Overview
CVE-2021-39135 is a symlink attack vulnerability in @npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface. The library aims to guarantee that package dependency contracts will be met and that package contents extraction will always be performed into the expected folder. However, if the node_modules folder of the root project or any of its dependencies is replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system.
Critical Impact
This vulnerability enables arbitrary file write through symlink manipulation, potentially allowing attackers to overwrite system files or inject malicious code outside the project directory.
Affected Products
- npmjs Arborist (versions prior to 2.8.2)
- npmjs npm (versions prior to 7.20.7)
- Oracle GraalVM Enterprise Edition (20.3.3 and 21.2.0)
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- 2021-08-31 - CVE-2021-39135 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-39135
Vulnerability Analysis
This vulnerability is classified as a symlink attack (CWE-61, CWE-59), which falls under the category of UNIX Symbolic Link (Symlink) Following vulnerabilities. The issue arises from improper validation of symbolic links during package installation operations.
Arborist normally extracts package contents into a project's node_modules folder with the expectation that this folder is a legitimate directory within the project structure. While symbolic links contained within package artifact contents are filtered out during extraction, the library fails to validate whether the node_modules folder itself has been replaced with a symbolic link pointing to an external location.
When Arborist encounters a symlink masquerading as the node_modules directory, it follows the symlink and writes package contents to the arbitrary target location. This behavior can be exploited to write files outside the intended project directory, potentially overwriting critical system files or injecting malicious code into sensitive locations.
Root Cause
The root cause of this vulnerability is insufficient validation of the node_modules directory before performing write operations. The Arborist library trusts that the node_modules folder is a legitimate directory without verifying whether it might be a symbolic link pointing elsewhere on the file system. While the library correctly filters symbolic links within package contents, it fails to apply the same security check to the target installation directory itself.
Attack Vector
The attack requires local access and user interaction, as described in two primary exploitation scenarios:
Scenario 1: Malicious preinstall script
A malicious package can include a preinstall script that replaces the node_modules folder with a symlink to an arbitrary location before Arborist writes package contents. This attack is prevented when using the --ignore-scripts flag.
Scenario 2: Malicious git repository
An attacker could provide a victim with a crafted git repository and instruct them to run npm install --ignore-scripts in the root. This attack is particularly deceptive because npm install --ignore-scripts is typically considered safe since it's not expected to make changes outside the project directory. However, if the repository already contains a node_modules symlink pointing to an external location, Arborist will follow it and write dependencies to the attacker-controlled path.
The vulnerability manifests in the directory resolution and file writing operations within Arborist's package extraction logic. When the library resolves the node_modules path, it does not check whether the path is a symbolic link, allowing the symlink traversal to occur during subsequent write operations. For detailed technical information, refer to the GitHub Security Advisory GHSA-gmw6-94gg-2rc2.
Detection Methods for CVE-2021-39135
Indicators of Compromise
- Presence of symbolic links in project node_modules directories pointing to locations outside the project tree
- Unexpected file modifications in system directories or sensitive locations following npm install operations
- npm or Arborist versions older than the patched versions (npm < 7.20.7 or @npmcli/arborist < 2.8.2)
- Suspicious preinstall scripts in package.json files that manipulate directory structures
Detection Strategies
- Monitor file system operations during npm install for writes outside the project directory
- Implement file integrity monitoring (FIM) on sensitive system directories to detect unexpected modifications
- Scan project repositories for pre-existing node_modules symbolic links before running npm install
- Use software composition analysis (SCA) tools to identify vulnerable versions of npm and Arborist
Monitoring Recommendations
- Enable audit logging for npm operations and review for anomalous directory traversal patterns
- Deploy endpoint detection and response (EDR) solutions that can detect symlink-based file system manipulation
- Implement CI/CD pipeline checks that validate repository contents before executing npm install commands
- Monitor for the creation of symbolic links in project directories, especially those named node_modules
How to Mitigate CVE-2021-39135
Immediate Actions Required
- Upgrade @npmcli/arborist to version 2.8.2 or later
- Upgrade npm to version 7.20.7 or later
- Review and audit any projects that may have been installed using vulnerable versions
- Inspect existing repositories for suspicious node_modules symbolic links before running npm install
Patch Information
The vulnerability is patched in @npmcli/arborist version 2.8.2, which is included in npm version 7.20.7 and above. Organizations using Oracle GraalVM should consult the Oracle CPU October 2021 Security Alert for specific patch guidance. For Siemens SINEC Infrastructure Network Services users, refer to the Siemens Security Advisory SSA-389290 for remediation instructions.
Workarounds
- Always use --ignore-scripts flag when installing packages from untrusted sources to prevent malicious preinstall scripts from creating symlinks
- Manually verify that node_modules is not a symbolic link before running npm install on untrusted repositories
- Use isolated environments (containers, VMs) when working with untrusted npm packages to limit potential damage from arbitrary file writes
- Implement pre-install hooks in your development workflow to check for and remove suspicious symbolic links
# Verify node_modules is not a symlink before installation
if [ -L "node_modules" ]; then
echo "WARNING: node_modules is a symbolic link!"
ls -la node_modules
exit 1
fi
# Safe installation with scripts disabled
npm install --ignore-scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
