GHSA-7cgc-fjv4-52x6 – bignum

Package

Manager: npm
Name: bignum
Vulnerable Version: >=0.12.2 <0.13.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Malware in pre-build binaries of bignum ### Impact bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer. ### Patches v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.

Metadata

Created: 2023-05-24T16:43:58Z
Modified: 2023-05-24T16:43:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-7cgc-fjv4-52x6/GHSA-7cgc-fjv4-52x6.json
CWE IDs: ["CWE-506"]
Alternative ID: N/A
Finding: F448
Auto approve: 1