CVE-2021-39135: 
JavaScript vulnerability analysis and mitigation

@npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, was found to have a vulnerability that could allow arbitrary file creation and overwrite. The vulnerability (CVE-2021-39135) was discovered in August 2021 and affects versions up to 2.8.1. The issue occurs when the nodemodules folder of the root project or any of its dependencies is replaced with a symbolic link, potentially allowing writes to arbitrary locations on the file system (GitHub Advisory).

The vulnerability stems from the way @npmcli/arborist handles symbolic links in nodemodules folders. While symbolic links contained within package artifact contents are filtered out, other means of creating a nodemodules symbolic link could be exploited. Two main attack vectors were identified: 1) A preinstall script could replace node_modules with a symlink (though this can be prevented using --ignore-scripts), 2) An attacker could supply a git repository and instruct the target to run npm install --ignore-scripts in the root, which might be considered safe since it typically cannot make changes outside the project directory (GitHub Advisory).

Successful exploitation of this vulnerability could allow an attacker to write package dependencies to any arbitrary location on the file system, potentially leading to arbitrary code execution through file overwrites (SecurityWeek).

The vulnerability was patched in @npmcli/arborist version 2.8.2, which is included in npm v7.20.7 and above. As a workaround, users should not run npm install on untrusted codebases without first ensuring that the nodemodules directory in the project is not a symbolic link. The fix verifies that the nodemodules folder is a real directory before extracting package contents (GitHub Advisory).