CVE-2019-16776

HIGH

npm < 6.13.3 - Arbitrary File Write via package.json bin Field

Title source: llm
STIX 2.1

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References (10)

Core 10
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHEA-2020:0330
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0573
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0579
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0597
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0602

Scores

CVSS v3 7.7
EPSS 0.0123
EPSS Percentile 79.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-22
Status published
Products (7)
fedoraproject/fedora 31
npm/npm 0 - 6.13.3npm
npmjs/npm < 6.13.3
opensuse/leap 15.1
oracle/graalvm 19.3.0.2
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
Published Dec 13, 2019
Tracked Since Feb 18, 2026