I’m currently studying cybersecurity and I see that there are several CVE related to libraries used in React/Angular.
For example:
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular/cli > @schematics/update > pacote > │
│ │ npm-registry-fetch > make-fetch-happen > cacache > │
│ │ move-concurrently > copy-concurrently > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h
My question is:
In this minimist example, how is it possible for someone to attack a server (or harm the website in any way) due to this vulnerability?
Or is it only possible to exploit these vulnerabilities after hacking the server?
The question is too broad but I’d start by saying that @angular/cli runs in the developer’s laptop or build server. So after exploiting that, or any vulnerability on it, you’d have to consider that for instance if you manipulate it to produce a malicious executable, it will have to be moved to the target web-server. And for running it there, it will require non-secure permissions and an execution trigger.