OSTIF is proud to announce the publication of the security audit of nvm in collaboration with 7ASecurity

nvm is a version manager for node.js, which works on any POSIX-compliant shell for Linux, Mac, and Windows. For this audit, 7ASecurity performed a whitebox security review and penetration testing upon the open source project. Executed during October of 2023, this was nvm’s first security audit and the audit team was remarkably impressed with the stature of the project and its vigorous and thorough documentation. 

Identified by this audit were two high severity findings, both addressed by the nvm maintainer Jordan Harband, as well as two weaknesses considered hardening recommendations rather than vulnerabilities. The two exploitable vulnerabilities were only able to be executed if a threat actor controlled environment variables. In addition to pentesting and code review, the audit team created documentation of nvm. First, through the creation of a lightweight threat model of the project, which includes two figures illustrating possible attacks and exploit scenarios. Second, nvm was evaluated against Supply-Chain Levels for Software Artifacts (“SLSA”), versions 1.0 and 0.1, to analyze the maturity of software supply-chain practices as well as provide recommendations based upon the findings. This documentation can act as guidance and direction for future work on nvm, not just limited to security impact. Implemented in this engagement, but not detailed in this report, were Command Line Interface fuzzers for inclusion in the CI/CD pipelines of nvm, which will strengthen security as well as prevent future security flaws from originating. 

This was the first audit engagement in a collaboration between OSTIF and OpenJS to provide OpenJS Foundation projects with security audits. As mentioned earlier, this is also the first security audit that nvm has undergone in its lifecycle. For the results of this audit to be so encouraging and speak to the health of the nvm code and community, it’s very exciting. OSTIF wishes all the best for nvm as it moves forward with new recommendations for future security posture. This project stands as an example of what a well maintained, reviewed, and supported project can learn from undergoing a security audit.

“nvm has never had a security audit before. OSTIF and the firm they retained were extraordinarily helpful and thorough. The engineers involved were very willing to consider maintainer points of view, and were also quite persuasive – some flags they raised turned out to be nothing, and some turned out to be issues that were more important than they initially seemed, so it was great to surface the best answer with enthusiastic discussion. I look forward to working with OSTIF and 7aSecurity in the future!`

Jordan Harband, nvm maintainer

OSTIF would like to thank Jordan Harband and the nvm community for their responsibility,  activity, and contributions to nvm and the success of this audit. They were accessible and responsive to 7ASecurity’s work and questions, which was incredibly helpful and appreciated by the audit team. As well, our gratitude is extended to the 7ASecurity team, specifically Abraham Aranguren, MSc, Dariusz Jastrzębski, Miroslav Štampar, PhD, and Stefan Nicula, PhD. for their incredible work on this engagement, which extended beyond the 28 working days mentioned in the report. Your dedication is exemplary. Finally, we would like to thank OpenJS, specifically Ben Sternthal and Robin Ginn, for their financial and professional support of this important project. 

Read OpenJS’s blog HERE

Read the Audit Report HERE

Read 7A Security’s blog HERE