Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-29244

UNKNOWN
Published 2022-06-13T13:40:27.000Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-29244. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.009
probability
of exploitation in the wild

There is a 0.9% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.747
Higher than 74.7% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Description

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

npm

npm

Affected Versions:

7.9.0 8.11.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Packing does not respect root-level ignore files in workspaces

GHSA-hj9c-8jmm-8c52

Advisory Details

### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` with workspaces, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include. ### Patch - Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0) or greater), run: `npm i -g npm@latest` - Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm` #### Steps to take to see if you're impacted 1. Run `npm publish --dry-run` or `npm pack` with an `npm` version `>=7.9.0` & `<8.11.0` inside the project's root directory using a workspace flag like: `--workspaces` or `--workspace=<name>` (ex. `npm pack --workspace=foo`) 2. Check the output in your terminal which will list the package contents (note: `tar -tvf <package-on-disk>` also works) 3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. ["Keeping files out of your Package"](https://docs.npmjs.com/cli/v8/using-npm/developers#keeping-files-out-of-your-package)) 3.2. Deprecate the old package (ex. `npm deprecate <pkg>[@<version>] <message>`) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed ### References - [CVE-2022-29244](https://nvd.nist.gov/vuln/detail/CVE-2022-29244) - [`npm-packlist`](https://github.com/npm/npm-packlist) - [`libnpmpack`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpack) - [`libnpmpublish`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish)

Affected Packages

npm npm
ECOSYSTEM: ≥7.9.0 <8.11.0

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

WEB https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-29244
WEB https://github.com/nodejs/node/pull/43210
WEB https://github.com/nodejs/node/releases/tag/v16.15.1
WEB https://github.com/nodejs/node/releases/tag/v17.9.1
WEB https://github.com/nodejs/node/releases/tag/v18.3.0
WEB https://github.com/npm/cli
WEB https://github.com/npm/cli/releases/tag/v8.11.0
WEB https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
WEB https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
WEB https://github.com/npm/npm-packlist
WEB https://security.netapp.com/advisory/ntap-20220722-0007

Advisory provided by GitHub Security Advisory Database. Published: June 2, 2022, Modified: June 29, 2022

References

https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/npm-packlist
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/nodejs/node/pull/43210
https://github.com/npm/cli/releases/tag/v8.11.0
https://github.com/nodejs/node/releases/tag/v16.15.1
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/nodejs/node/releases/tag/v18.3.0
https://security.netapp.com/advisory/ntap-20220722-0007/
Published: 2022-06-13T13:40:27.000Z
Last Modified: 2025-04-23T16:23:31.058Z
Copied to clipboard!