CVE-2022-29244: npm packing does not respect root-level ignore files in workspaces

Published Jun 13, 2022
·
Updated

A flaw was found in npm. This security issue occurs because the npm pack ignores root-level ".gitignore" and ".npmignore" file exclusion directives when run in a workspace or with a workspace flag (for example, --workspaces, --workspace=<name>). Anyone who has run 'npm pack' or 'npm publish' inside a workspace has published files into the npm registry they did not intend to include. This flaw exposes sensitive information to an unauthorized user or an attacker.

Affected Software

6 affected componentsFixes available
redhat/nodejs<1:16.16.0-1.el9_0
1:16.16.0-1.el9_0
redhat/Node.js<16.15.1
16.15.1
redhat/Node.js<17.19.1
17.19.1
redhat/Node.js<18.3.0
18.3.0
npmjs npm>=7.9.0<8.11.0
NetApp ONTAP Select Deploy administration utility

Remediation

Patch Available

https://github.com/nodejs/node/pull/43210

Event History

Jun 13, 2022
CVE Published
12:00 AM
CVE Published
via MITRE·01:40 PM
Data Sourced
via MITRE·01:40 PM
DescriptionWeakness
Jun 20, 2022
Data Sourced
via Red Hat·05:54 AM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-29244?

CVE-2022-29244 is a security vulnerability in npm that allows ignoring certain exclusion directives.

2

How does the security issue in CVE-2022-29244 occur?

The security issue in CVE-2022-29244 occurs because npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag.

3

Who is affected by CVE-2022-29244?

Anyone who has run npm pack or npm publish inside a workspace may be affected by CVE-2022-29244.

4

What is the severity of CVE-2022-29244?

The severity of CVE-2022-29244 is high with a CVSS score of 7.5.

5

How can I fix CVE-2022-29244?

To fix CVE-2022-29244, update Node.js to version 16.15.1, 17.19.1, or 18.3.0, or update the nodejs package to version 1:16.16.0-1.el9_0.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203