CVE-2021-39135: UNIX Symbolic Link (Symlink) Following

August 31, 2021 (updated November 7, 2023)

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

References

github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
nvd.nist.gov/vuln/detail/CVE-2021-39135
www.npmjs.com/package/@npmcli/arborist
www.oracle.com/security-alerts/cpuoct2021.html

Detect and mitigate CVE-2021-39135 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →