7ASecurity had the privilege to collaborate with the Open Source Technology Improvement Fund (OSTIF), as well as the Node Version Manager (nvm) team, in a recent security audit of the nvm project.
What is Node Version Manager?
nvm is an open-source version manager for Node.js. It is designed to be secure, reliable and easy to use.
nvm operates as an open-source project located on GitHub and has a large number of contributors, users, and maintainers.
The Test
The project was solicited by the nvm team, funded by the Open Source Technology Improvement Fund, Inc (OSTIF), and executed by 7ASecurity in October of 2023. The audit team dedicated 28 working days to complete this assignment.
During this iteration, the aim was to review the security posture of nvm, a popular open source and POSIX-compliant bash script to manage multiple active Node.js versions. The goal was to review the threat model boundaries as thoroughly as possible, to ensure nvm users can be provided with the best possible security.
The methodology implemented was whitebox: 7ASecurity was provided with access to documentation and source code. A team of 4 senior auditors carried out all tasks required for this engagement, including preparation, delivery, documentation of findings and communication.
Only two directly exploitable vulnerabilities could be identified during this assignment (NVM-01-003, NVM-01-004) and both of them require adversaries to control environment variables. This should be viewed as an excellent result, particularly given this is the first time the project has been audited.
Additionally, the only remaining weaknesses found were hardening recommendations with the lowest possible severity.
Conclusion
7ASecurity would like to take this opportunity to sincerely thank Jordan Harband and the rest of the nvm team, for their exemplary assistance and support throughout this audit. Last but not least, appreciation must be extended to the Open Source Technology Improvement Fund, Inc (OSTIF) for sponsoring this project.
Overall, nvm is a very active project in GitHub, has a good support forum and is well documented. This results in prompt answers to user-reported issues as well as a generally short turnaround time for implementing any fixes.
You can read the full report here.
