Miggo Logo

CVE-2022-29244: Packing does not respect root-level ignore files in workspaces

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.76588%
Published
6/2/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
npmnpm>= 7.9.0, < 8.11.08.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of root-level ignore files in workspace contexts. npm-packlist is directly responsible for file inclusion logic, and its failure to apply root ignore rules in workspaces is a core issue. Libnpmpack's role in passing workspace/prefix context to npm-packlist (as indicated in the fix commit 'pass prefix and workspaces to libnpmpack') confirms its involvement. The patch in npm v8.11.0 addressed both components, aligning with the described vulnerability impact.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `npm p**k` i*nor*s root-l*v*l `.*iti*nor*` & `.npmi*nor*` *il* *x*lusion *ir**tiv*s w**n run in * worksp*** or wit* * worksp*** *l** (i*. `--worksp***s`, `--worksp***=<n*m*>`). *nyon* w*o **s run `npm p**k` or `npm pu*lis*` wit* worksp***s

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* root-l*v*l i*nor* *il*s in worksp*** *ont*xts. `npm-p**klist` is *ir**tly r*sponsi*l* *or *il* in*lusion lo*i*, *n* its **ilur* to *pply root i*nor* rul*s in worksp***s is * *or* issu*. `Li*npmp**k`'s