{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nogginlessdom--0.0.21/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nogginlessdom (\u003c= 0.0.21)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","supply-chain","ci/cd","npm","vulnerability"],"_cs_type":"advisory","_cs_vendors":["asymmetric-effort"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as GHSA-322x-v876-g883, has been identified in the \u003ccode\u003ematchFileSnapshot\u003c/code\u003e function within the \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e JavaScript library, specifically in versions \u003ccode\u003e0.0.21\u003c/code\u003e and earlier. This flaw arises from insufficient validation of the \u003ccode\u003efilePath\u003c/code\u003e parameter when the library operates in snapshot update mode (e.g., \u003ccode\u003eUPDATE_SNAPSHOTS=1\u003c/code\u003e environment variable or \u003ccode\u003esetUpdateMode('all')\u003c/code\u003e). An attacker capable of controlling the \u003ccode\u003efilePath\u003c/code\u003e input during testing can exploit this to write arbitrary content to any location on the filesystem where the process has write permissions. This includes creating new directories and overwriting existing files, posing a significant risk, particularly in CI/CD pipelines where untrusted test inputs from pull requests could lead to supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious test input that includes a specially constructed \u003ccode\u003efilePath\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../tmp/evil.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious test input is processed in an environment where the \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e library is used, and the snapshot update mode is active (\u003ccode\u003eUPDATE_SNAPSHOTS=1\u003c/code\u003e or \u003ccode\u003esetUpdateMode('all')\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ematchFileSnapshot\u003c/code\u003e function is called with the attacker-controlled \u003ccode\u003efilePath\u003c/code\u003e and arbitrary content.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.existsSync(filePath)\u003c/code\u003e check fails because the path is outside the expected directory, triggering the creation logic.\u003c/li\u003e\n\u003cli\u003eThe library’s \u003ccode\u003efs.mkdirSync(dir, { recursive: true });\u003c/code\u003e function creates intermediate directories specified by the attacker in the malicious \u003ccode\u003efilePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFileSync(filePath, serialized, 'utf-8');\u003c/code\u003e function writes attacker-controlled \u003ccode\u003eserialized\u003c/code\u003e content to the arbitrary \u003ccode\u003efilePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn a CI/CD environment, this allows overwriting critical configuration files (e.g., \u003ccode\u003e/home/runner/.github/workflows/backdoor.yml\u003c/code\u003e), injecting malicious code into build artifacts, or modifying pipeline definitions.\u003c/li\u003e\n\u003cli\u003eThe successful write leads to arbitrary code execution, persistence within the build system, or compromise of distributed software.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an attacker to perform arbitrary file writes, creating new directories and overwriting existing files with attacker-controlled content. In CI/CD environments, this is particularly severe as untrusted pull requests could trigger the exploit. Consequences include the complete compromise of build processes, such as overwriting CI configuration files to inject malicious steps, injecting malicious code directly into build artifacts, or modifying source code used in subsequent builds. This directly enables supply chain attacks, potentially affecting all downstream consumers of the compromised software. The specific number of victims is not available, but any organization using vulnerable versions of the library in their CI/CD systems is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e to version \u003ccode\u003e0.0.22\u003c/code\u003e or later immediately to apply the patch referenced in GHSA-322x-v876-g883.\u003c/li\u003e\n\u003cli\u003eImplement controls to prevent untrusted input from reaching build environments, especially in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eReview CI/CD pipeline definitions and build artifacts for unauthorized modifications after applying the patch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:29:03Z","date_published":"2026-07-03T11:29:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/","summary":"A path traversal vulnerability (GHSA-322x-v876-g883) in the `matchFileSnapshot` function of the `@asymmetric-effort/nogginlessdom` library allows an attacker to write arbitrary content to any filesystem path with write access when snapshot update mode is active, potentially leading to supply chain compromise in CI/CD environments.","title":"Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write","url":"https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Nogginlessdom (\u003c= 0.0.21)","version":"https://jsonfeed.org/version/1.1"}