Description
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/61083
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=983917
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/07/11/9
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
Third Party Advisory x_refsource_confirm
https://github.com/npm/npm/issues/3635
Patch, Third Party Advisory x_refsource_confirm
https://github.com/npm/npm/commit/f4d31693
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/07/10/17
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/87141
Scores
EPSS
0.0010
EPSS Percentile
27.9%
Details
CWE
CWE-59
Status
published
Products (2)
node_packaged_modules_project/node_packaged_modules
< 1.3.3
npm/npm
0 - 1.3.3npm
Published
Apr 22, 2014
Tracked Since
Feb 18, 2026