Malicious Open-Source Packages in SAP Cloud Application Programming Model
SAP Cloud Application Programming Model (Node.js)
CVSS 10.0 — perfect score, maximum severity. Supply chain compromise of a development framework means every application built on the affected CAP version is potentially infected. If your organisation uses CAP for Node.js development, this is an all-hands emergency. Treat affected environments as compromised until patched and audited.
Vulnerability Detail
SAP identified malicious open-source NPM packages included as dependencies in the Cloud Application Programming Model (CAP) for Node.js. An attacker who can influence the dependency resolution or supply chain could cause the application to execute malicious code, with full confidentiality, integrity, and availability impact. SAP rates this CVSS 10.0 — the maximum score.
Workaround
Audit your CAP Node.js dependency tree for the affected packages and remove or replace them before the patched version is deployed.
Patch Action
Apply SAP Note 3747787. Review your CAP Node.js lockfiles and dependency manifests for affected package versions.
Affected Versions
Patch Info