GMS-2020-104: Arbitrary File Write in bin-links

September 4, 2020

Versions of bin-links are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist. ## Recommendation

References

github.com/advisories/GHSA-gqf6-75v8-vr26
www.npmjs.com/advisories/1427

Detect and mitigate GMS-2020-104 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →