Volerion logoVolerion
Volerion logoVolerion

lockfile-lint-api Incorrect Behavior Order: Early Validation Vulnerability

Vulnerability

A vulnerability exists in the lockfile-lint-api package, specifically in versions prior to 5.9.2. The issue arises from an incorrect validation order that allows for early validation bypass via the resolved attribute of package URLs. This flaw can be exploited by extending the package name, enabling the installation of unintended npm packages.

Impact

Exploitation of this vulnerability could lead to the installation of malicious npm packages, bypassing intended package name validations.

Reproduction

The vulnerability can be reproduced by using lockfile-lint with the --validate-package-names option. When a package name is extended (for example, changing 'meow' to 'meowlicious'), the validation incorrectly allows the tampered package to be installed, demonstrating the early validation bypass.

Remediation

Users are advised to upgrade lockfile-lint-api to version 5.9.2 or higher.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.0
exploitability
6.0
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.