← back
CVE-2019-16775

Unauthorized File Access in npm CLI before before version 6.13.3

CVSS 7.7 HIGHEPSS 3.3%CWE-61
In short

npm versions before 6.13.3 allow malicious packages to create symbolic links to arbitrary files on your system during installation, potentially overwriting or exposing sensitive data even if you disable scripts.

Technical detail

The npm CLI fails to validate symlink destinations in the bin field during package installation, allowing an attacker to create symlinks pointing outside node_modules to arbitrary filesystem locations. This occurs regardless of the --ignore-scripts flag, enabling unauthorized file access or modification with the privileges of the installing user.

Summary generated and translated by AI from the official description.
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products
npm · cli

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.htmlhttps://access.redhat.com/errata/RHEA-2020:0330https://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0602https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-clihttps://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cxhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html