CVE-2019-14772

Vulnerability

Overview

CVE-2019-14772 is a Cross-Site Scripting (XSS) vulnerability in Verdaccio, a lightweight Node.js private proxy registry. The flaw exists in versions prior to 3.12.0 and allows malicious packages containing JavaScript to be executed within the UI when viewed by users [1][2].

Attack

Vector and Prerequisites

An attacker can exploit this vulnerability by publishing or causing a user to view a package that includes crafted JavaScript content. The XSS executes in the context of a user's browser session when they interact with the malicious package in the Verdaccio web interface. No authentication or special privileges are explicitly required for exploitation, but the victim must be logged into Verdaccio for the attack to compromise credentials [3].

Impact

If successfully exploited, an attacker can steal user credentials, potentially gaining unauthorized access to the registry or other privileged actions [3]. The impact is limited to the data and operations accessible within the Verdaccio UI session.

Mitigation

Verdaccio users running version 3 should upgrade to 3.12.0 or later. Users who can migrate to a major version 4.0.0 or later are also protected, as that release incorporates the fix. There is no workaround; updating the software is required [3].