CVE-2019-16775

HIGH

npm CLI <6.13.3 - Arbitrary File Write

Title source: llm
STIX 2.1

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References (11)

Core 11
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHEA-2020:0330
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0573
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0579
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0597
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0602
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 7.7
EPSS 0.0327
EPSS Percentile 86.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-61 CWE-59
Status published
Products (9)
fedoraproject/fedora 31
npm/npm 0 - 6.13.3npm
npmjs/npm < 6.13.3
opensuse/leap 15.1
oracle/graalvm 19.3.0.2
oracle/graalvm 20.3.3
oracle/graalvm 21.2.2
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
Published Dec 13, 2019
Tracked Since Feb 18, 2026