FS#125 : Bug: NPM Dependency Confusion Vulnerability.

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by ssb07 - 25.01.2025
Last edited by cbay - 27.01.2025

FS#125 - Bug: NPM Dependency Confusion Vulnerability.

Hope everything going well on your side.

Recently, while enumerating over alwaysdata.net and alwaysdata.com i came across a js file which contain a npm dependency which you also used using command require('nw.gui') . When i check it on npm registry it does not exist over there. So i claimed it. I also came across other dependencies which are used in other js files with the exact syntax but they are already exist on npm registry but only this dependency does not exist over npm registry. So, it could easily result in npm dependency confusion vulnerability which could severe consequences like if anytime you update/install it will easily give rise to Remote Code Execution over user/developer system even if it in scope or not.

## Step to reproduce:

1. Enumerate over your domain and find all endpoints.
2. From endpoints extract all js files.
3. In JS files search npm dependecies.

![some-js-files-found](https://drive.google.com/file/d/16VphYAjHXuYmwsBvx0fWcgbePP1y5JPy/view?usp=drive_link)

4. You will find dependency which I mentioned above.

![Found-npm-dependency](https://drive.google.com/file/d/1VZMibcPlCity-RPpZPkl1TSKuNkswbZA/view?usp=drive_link)

Follow this js-file : [Link](https://foxrewards.alwaysdata.net/jeu/js/rpg_core.js)
5. Claimed the dependency.

![Claimed-bucket-with-some-downloads-also](https://drive.google.com/file/d/14FWf1qfh3p5f3TRndRJCPcAn0LEunRNS/view?usp=drive_link)

## Impact:

1. If anytime you update/install it will easily give rise to Remote Code Execution over user/developer system which could be fatal.
2. Reputation damage of the company.

## Mitigation
Once you have reviewed this report, I can unclaim the package and you can upload your own ones there.

Closed by cbay
27.01.2025 08:10
Reason for closing: Invalid