Backdoor in veged/coa NPM repository
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-506 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software Subscribe |
coa Universal components / Libraries / Libraries used by multiple products |
| Vendor | Sergey Berezhnoy |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Embedded malicious code (backdoor)
EUVDB-ID: #VU57962
Risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-506 - Embedded Malicious Code
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
The npm package has been compromised and includes cryptomining and password stealing malware.
MitigationThe latest version of the software is 2.0.2, which does not have malicious code.
coa: 2.0.3 - 2.1
External linkshttp://ezplatform.com/security-advisories/ibexa-sa-2021-009-malicious-code-in-npm-veged-coa
http://github.com/veged/coa/issues/99
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
