Node.js Trust Falls Dangerous Module Resolution on Windows#2108
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Node.js Trust Falls Dangerous Module Resolution on Windows#2108carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.thezdi.com/blog/2026/4/8/nodejs-trust-falls-dangerous-module-resolution-on-windows Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (new page): "Node.js/Electron module resolution hijacking on Windows (C:\node_modules)" (cross-link from: Generic Hacking -> Uncontrolled search path element / hijacking patterns; and potentially from: Pentesting Web -> NodeJS Express as an ecosystem note)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Topic
ZDI analyzes a systemic Windows local privilege escalation (LPE) pattern caused by Node.js module resolution behavior: when resolving packages, Node.js includes
C:\node_modulesin its default search path. This maps to CWE-427: Uncontrolled Search Path Element. Because low-privileged users can commonly createC:\node_moduleson Windows, attackers can plant malicious modules that may be loaded by higher-privileged Node.js/Electron applicati...🔧 Technical Details
Trick 1 — Abusing Node.js upward module resolution to reach a user-writable root path (CWE-427):
If a Node/Electron app performs a bare import like
require('X')and the legitimate module is missing, Node searchesnode_modulesup the directory tree and can eventually probeC:\\node_moduleson Windows. If an attacker can createC:\\node_modulesand place a file/module matching the missing name (e.g.,C:\\node_modules\\X.js), Node will load and execute it. This yields local code execution and can become LPE when the victim process runs with higher privileges (admin, auto-start elevated context, etc.).Trick 2 — Turning npm's
optionalDependencies"silent catch" pattern into a reliable load primitive:Many packages intentionally wrap optional imports in a try/catch (or equivalent) to continue when the module isn't installed. On Windows, this "missing module but continue running" beha...
🤖 Agent Actions
I’m mapping the repo first and then I’ll read the most relevant Windows, Node.js, and search-path hijacking pages before deciding where this belongs.
I’ve got the structure. Next I’m checking whether HackTricks already documents this as a Windows search-path hijack, a Node/Electron note, or both, so I can avoid duplicating existing material.
The existing Windows content covers DLL search-order hijacks well, but not this JavaScript module-resolution variant. I’m checking where HackTricks already keeps references and related ecosystem notes so I can keep the change in one file without breaking navigation or style.
I’ve settled on a single-file update in the Windows LPE methodology, next to the existing PATH hijacking material. I’m adding a focused subsection for
C:\node_modulesabuse plus the source links at the file’s References section.The content is in place. I’m tightening one grep example now so the command syntax is cleaner and the final diff stays copy-paste friendly.
Updated README.md with a new Windows LPE subsection covering Node.js/Electron module resolution hijacking via
C:\node_modules. I placed it next to the existing PATH DLL hijacking material so it sits with the other Windows uncontrolled search-path privesc patterns, and kept the addition technique-focused rather than CVE-focused.The new content covers the upward
node_modulessearch behavior, whyoptionalDependenciesand silentrequire()failures make it exploitable on Windows, how to validate it with Procmon, a minimal exploitation pattern, and defender-focused detection/hardening notes. I also updated the file’s## Referencessection with the ZDI post plus Node.js, npm, and Procmon sources.Verification: reviewed the diff and only README.md was modified. No tests were run.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.