The OpenJS Foundation is receiving financial support from the Sovereign Tech Fund to help OpenJS Foundation projects move to more secure and modern technologies and policies. 7ASecurity collaborated on the nvm security audit with the Open Source Technology Improvement Fund (OSTIF). 

nvm is a version manager for Node.js, used to manage multiple active Node.js versions. The goal of the audit, requested by nvm, was to review the threat model boundaries as thoroughly as possible, in order to ensure nvm users are provided with the best possible security.

To complete the audit, 7ASecurity was provided with access to nvm documentation and source code. A team of 4 senior auditors carried out all tasks required, including preparation, delivery, documentation of findings and communication.

The results were very positive.

Only two directly exploitable vulnerabilities could be identified (NVM-01-003, NVM-01-004) and both of them require adversaries to control environment variables. 

Additionally, the only remaining weaknesses found were hardening recommendations with the lowest possible severity.

For a first ever audit, we believe this an excellent result. Additionally, the documentation from the testing produced by 7ASecurity can act as guidance in the future, including command line fuzzers for inclusion in CI/CD pipelines, which will strengthen security as well as prevent future security flaws from originating. 

Full report available here.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by 26 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.