Full Report
Package dependencies can create vulnerabilities that are fiendishly hard to find and stamp out
Analysis Summary
# Vulnerability: Stale and Misconfigured Dependency Overrides
## CVE Details
- **CVE ID**: N/A (Focuses on architectural/configuration weaknesses leading to vulnerability re-introduction)
- **CVSS Score**: Variable (Dependent on the specific transitive dependency being bypassed)
- **CWE**: CWE-1104: Use of Unmaintained Third Party Components / CWE-1026: Ineffective Security Control
## Affected Systems
- **Products**: JavaScript/Node.js based applications and frameworks.
- **Versions**: All versions utilizing package managers with override capabilities.
- **Configurations**: Mixed use of `npm`, `pnpm`, or `Yarn` where security overrides are defined in `package.json` but not updated during package manager migrations or dependency tree updates.
## Vulnerability Description
This is a "silent failure" flaw in the software supply chain. Developers use **overrides** (npm), **resolutions** (Yarn), or **pnpm.overrides** to force-update a vulnerable transitive dependency when the upstream maintainer has not yet released a patch.
The security risk occurs in three scenarios:
1. **Migration Failure**: A project moves from `npm` to `pnpm`, but the security override is left under the `overrides` key (ignored by pnpm), silently reinstalling the vulnerable package.
2. **Shadow Overrides**: The dependency tree changes so that the override no longer matches any active path, leaving the developer with a false sense of security while the vulnerability remains or returns.
3. **AI Hallucination/Stale Advice**: AI assistants suggest adding overrides to fix CVEs but never prompt the developer to verify if the override is still active or valid after subsequent updates.
## Exploitation
- **Status**: Exploited in the wild (via transitive dependency attacks like the `node-ipc` incident).
- **Complexity**: Low (The vulnerability is "introduced" by the developer through a failed security configuration).
- **Attack Vector**: Network (Supply Chain).
## Impact
- **Confidentiality**: High (Can lead to data exfiltration via malicious transitive packages).
- **Integrity**: High (Allows for unauthorized code execution in the CI/CD pipeline or production).
- **Availability**: High (Potential for wiper-code or "protestware" like the `node-ipc` case).
## Remediation
### Patches
- **CVE Lite CLI**: Update to the latest version of the [CVE Lite CLI](https[:]//owasp[.]org/cve-lite-cli/) to utilize the new **override auditing** feature.
### Workarounds
- **Hygiene Checks**: Manually audit `package.json` to ensure overrides match the current package manager in use.
- **Upstream Fixes**: Prioritize upgrading the direct dependency once the upstream maintainer incorporates the security patch, then remove the override.
## Detection
- **Indicators of Compromise**: Presence of known vulnerable versions in `package-lock.json` or `pnpm-lock.yaml` despite overrides being present in `package.json`.
- **Detection Methods**:
- Run `cve-lite` to identify overrides that point at nothing in the resolved tree.
- Use `audit` commands specific to the package manager (`npm audit`, `yarn audit`).
- Verify that the override keys match the active package manager (e.g., ensure `pnpm.overrides` is used if using pnpm).
## References
- OWASP CVE Lite CLI: [https[:]//owasp[.]org/cve-lite-cli/](https[:]//owasp[.]org/cve-lite-cli/)
- Node-ipc Incident Analysis: [https[:]//notes[.]ekzhang[.]com/software/node-ipc](https[:]//notes[.]ekzhang[.]com/software/node-ipc)
- NPM Overrides Documentation: [https[:]//docs[.]npmjs[.]com/cli/v9/configuring-npm/package-json#overrides](https[:]//docs[.]npmjs[.]com/cli/v9/configuring-npm/package-json#overrides)