← back
CVE-2019-16776

Unauthorized File Access in npm CLI before before version 6.13.3

CVSS 7.7 HIGHEPSS 3.3%CWE-22
In short

npm versions before 6.13.3 allow malicious packages to write files anywhere on your system during installation, not just in the project folder. An attacker can craft a package that modifies or accesses your personal files when you install it.

Technical detail

The npm CLI fails to properly validate the bin field in package.json, allowing path traversal (CWE-22) that bypasses the node_modules directory boundary. A malicious package can write arbitrary files to the filesystem during installation; this vulnerability persists even with --ignore-scripts flag due to alternative execution vectors like install scripts.

Summary generated and translated by AI from the official description.
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products
npm · cli

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.htmlhttps://access.redhat.com/errata/RHEA-2020:0330https://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0602https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-clihttps://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://www.oracle.com/security-alerts/cpujan2020.html