Description
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References (11)
Scores
CVSS v3
7.7
EPSS
0.0068
EPSS Percentile
71.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-61
CWE-59
Status
published
Products (9)
fedoraproject/fedora
31
npm/npm
0 - 6.13.3npm
npmjs/npm
< 6.13.3
opensuse/leap
15.1
oracle/graalvm
19.3.0.2
oracle/graalvm
20.3.3
oracle/graalvm
21.2.2
redhat/enterprise_linux
8.0
redhat/enterprise_linux_eus
8.1
Published
Dec 13, 2019
Tracked Since
Feb 18, 2026