CVE-2022-29244 in Node.js
Summary
by MITRE • 06/13/2022
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/23/2025
The vulnerability described in CVE-2022-29244 represents a critical flaw in npm's package building process that affects workspace environments. This issue stems from npm's failure to properly respect root-level exclusion directives when executing package operations within workspace configurations. The flaw specifically manifests when users run npm pack or npm publish commands with workspace flags such as --workspaces or --workspace=<name>. The vulnerability impacts npm versions 7.9.0 and 7.13.0 respectively for pack and publish operations, creating a scenario where unintended files may be included in published packages. This behavior directly violates the expected security principles of package management systems where developers should have explicit control over what files are included in their distributions. The vulnerability is particularly concerning because it operates at the core of npm's package creation and publishing workflow, potentially exposing sensitive data or unnecessary files to the public npm registry.
The technical implementation of this vulnerability involves npm's workspace handling logic failing to properly merge or respect the exclusion patterns defined in .gitignore and .npmignore files located at the root of a workspace. When npm processes workspace commands, it should aggregate exclusion rules from all relevant directories and apply them consistently during package creation. However, this specific flaw causes npm to ignore the root-level exclusion directives, allowing files that should have been excluded to be included in the final package tarball. This issue is categorized under CWE-20: Improper Input Validation as it involves improper handling of workspace configuration data and exclusion patterns. The flaw essentially creates a bypass mechanism where the normal file inclusion/exclusion logic is circumvented in workspace contexts, leading to potential information disclosure or package bloat. The vulnerability operates at the application level within npm's internal packaging routines, specifically affecting the npm pack and npm publish commands that are fundamental to the node.js ecosystem's package distribution process.
The operational impact of CVE-2022-29244 extends beyond simple package inclusion issues, representing a significant security risk for organizations relying on npm workspaces for package management. When developers execute npm pack or npm publish within workspace environments, they may inadvertently expose sensitive information, private keys, configuration files, or other confidential data that should have been excluded. This vulnerability affects the integrity of the npm registry by potentially allowing malicious actors to discover or access unintended content through packages that were meant to be clean and secure. The implications are particularly severe for organizations with strict compliance requirements or those handling sensitive data, as this flaw could lead to unauthorized disclosure of proprietary information or internal system details. The vulnerability also impacts the reliability and predictability of npm package publishing workflows, potentially causing issues with package validation, dependency resolution, and overall ecosystem trust. From an attacker's perspective, this vulnerability aligns with ATT&CK technique T1218.011: Signed Binary Proxy Execution, as it represents an unintended code execution path through package inclusion mechanisms, though the attack surface is more focused on information disclosure rather than direct execution.
Organizations affected by this vulnerability should immediately implement the recommended mitigation strategies to protect their package publishing workflows. The primary solution involves upgrading to npm version 8.11.0 or later, which includes the necessary patches to properly respect root-level exclusion directives in workspace environments. The upgrade process requires running npm i -g npm@latest to ensure all developers are using the patched version. This upgrade path is particularly important for Node.js versions v16.15.1, v17.19.1, and v18.3.0 which already include the patched npm version. Additionally, system administrators should conduct a comprehensive audit of existing packages published within the affected timeframes to identify any unintended content that may have been included. The remediation process should include verifying that .gitignore and .npmignore files are properly configured and testing package creation workflows to ensure the fix is effective. Organizations should also consider implementing additional security measures such as automated package scanning and validation checks before publishing to identify any potential exposure of sensitive information. The vulnerability demonstrates the critical importance of maintaining up-to-date package management tools and highlights the need for regular security assessments of core development infrastructure components.