7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29244

GHSA ID

GHSA-hj9c-8jmm-8c52

EPSS Score

0.76588%

CWE

CWE-200

Published

6/2/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29244

CVE-2022-29244: Packing does not respect root-level ignore files in workspaces

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package") 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29244

GHSA ID

GHSA-hj9c-8jmm-8c52

EPSS Score

0.76588%

CWE

CWE-200

Published

6/2/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
npm	npm	>= 7.9.0, < 8.11.0	8.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of root-level ignore files in workspace contexts. npm-packlist is directly responsible for file inclusion logic, and its failure to apply root ignore rules in workspaces is a core issue. Libnpmpack's role in passing workspace/prefix context to npm-packlist (as indicated in the fix commit 'pass prefix and workspaces to libnpmpack') confirms its involvement. The patch in npm v8.11.0 addressed both components, aligning with the described vulnerability impact.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `npm p**k` i*nor*s root-l*v*l `.*iti*nor*` & `.npmi*nor*` *il* *x*lusion *ir**tiv*s w**n run in * worksp*** or wit* * worksp*** *l** (i*. `--worksp***s`, `--worksp***=<n*m*>`). *nyon* w*o **s run `npm p**k` or `npm pu*lis*` wit* worksp***s

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* root-l*v*l i*nor* *il*s in worksp*** *ont*xts. `npm-p**klist` is *ir**tly r*sponsi*l* *or *il* in*lusion lo*i*, *n* its **ilur* to *pply root i*nor* rul*s in worksp***s is * *or* issu*. `Li*npmp**k`'s

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-29244: Packing does not respect root-level ignore files in workspaces

Impact

Patch

Steps to take to see if you're impacted

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI