How severe is CVE-2021-43616?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2021-43616?

This is classified as CWE-345, which is a common weakness in software security.

CVE-2021-43616 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

Related Vulnerabilities

CVE-2013-2167

CRITICAL

CVSS:9.8(Critical)

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass

CWE-3452013

CVE-2015-3956

CRITICAL

CVSS:9.8(Critical)

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pum...

CWE-3452015

CVE-2016-1000004

CRITICAL

CVSS:9.8(Critical)

Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0...

CWE-3452016

CVE-2017-3198

CRITICAL

CVSS:9.8(Critical)

GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary mo...

CWE-3452017

CVE-2018-19971

CRITICAL

CVSS:9.8(Critical)

JFrog Artifactory Pro 6.5.9 has Incorrect Access Control.

CWE-3452018

CVE-2019-11235

CRITICAL

CVSS:9.8(Critical)

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection ...

CWE-3452019