<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nogginlessdom (&lt;= 0.0.21) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/nogginlessdom--0.0.21/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:29:03 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/nogginlessdom--0.0.21/feed.xml" rel="self" type="application/rss+xml"/><item><title>Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write</title><link>https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/</link><pubDate>Fri, 03 Jul 2026 11:29:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/</guid><description>A path traversal vulnerability (GHSA-322x-v876-g883) in the `matchFileSnapshot` function of the `@asymmetric-effort/nogginlessdom` library allows an attacker to write arbitrary content to any filesystem path with write access when snapshot update mode is active, potentially leading to supply chain compromise in CI/CD environments.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as GHSA-322x-v876-g883, has been identified in the <code>matchFileSnapshot</code> function within the <code>@asymmetric-effort/nogginlessdom</code> JavaScript library, specifically in versions <code>0.0.21</code> and earlier. This flaw arises from insufficient validation of the <code>filePath</code> parameter when the library operates in snapshot update mode (e.g., <code>UPDATE_SNAPSHOTS=1</code> environment variable or <code>setUpdateMode('all')</code>). An attacker capable of controlling the <code>filePath</code> input during testing can exploit this to write arbitrary content to any location on the filesystem where the process has write permissions. This includes creating new directories and overwriting existing files, posing a significant risk, particularly in CI/CD pipelines where untrusted test inputs from pull requests could lead to supply chain compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts malicious test input that includes a specially constructed <code>filePath</code> parameter containing path traversal sequences (e.g., <code>../../../tmp/evil.txt</code>).</li>
<li>The malicious test input is processed in an environment where the <code>@asymmetric-effort/nogginlessdom</code> library is used, and the snapshot update mode is active (<code>UPDATE_SNAPSHOTS=1</code> or <code>setUpdateMode('all')</code>).</li>
<li>The vulnerable <code>matchFileSnapshot</code> function is called with the attacker-controlled <code>filePath</code> and arbitrary content.</li>
<li>The <code>fs.existsSync(filePath)</code> check fails because the path is outside the expected directory, triggering the creation logic.</li>
<li>The library’s <code>fs.mkdirSync(dir, { recursive: true });</code> function creates intermediate directories specified by the attacker in the malicious <code>filePath</code>.</li>
<li>The <code>fs.writeFileSync(filePath, serialized, 'utf-8');</code> function writes attacker-controlled <code>serialized</code> content to the arbitrary <code>filePath</code>.</li>
<li>In a CI/CD environment, this allows overwriting critical configuration files (e.g., <code>/home/runner/.github/workflows/backdoor.yml</code>), injecting malicious code into build artifacts, or modifying pipeline definitions.</li>
<li>The successful write leads to arbitrary code execution, persistence within the build system, or compromise of distributed software.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows an attacker to perform arbitrary file writes, creating new directories and overwriting existing files with attacker-controlled content. In CI/CD environments, this is particularly severe as untrusted pull requests could trigger the exploit. Consequences include the complete compromise of build processes, such as overwriting CI configuration files to inject malicious steps, injecting malicious code directly into build artifacts, or modifying source code used in subsequent builds. This directly enables supply chain attacks, potentially affecting all downstream consumers of the compromised software. The specific number of victims is not available, but any organization using vulnerable versions of the library in their CI/CD systems is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>@asymmetric-effort/nogginlessdom</code> to version <code>0.0.22</code> or later immediately to apply the patch referenced in GHSA-322x-v876-g883.</li>
<li>Implement controls to prevent untrusted input from reaching build environments, especially in CI/CD pipelines.</li>
<li>Review CI/CD pipeline definitions and build artifacts for unauthorized modifications after applying the patch.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>supply-chain</category><category>ci/cd</category><category>npm</category><category>vulnerability</category></item></channel></rss>