CVE-2019-16777

HIGH

npm < 6.13.4 - Arbitrary File Overwrite via Global Binary Installation

Title source: llm
STIX 2.1

Description

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References (11)

Core 11
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHEA-2020:0330
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0573
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0579
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0597
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0602
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-48

Scores

CVSS v3 7.7
EPSS 0.0059
EPSS Percentile 69.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-22 CWE-269
Status published
Products (7)
fedoraproject/fedora 31
npm/npm 0 - 6.13.4npm
npmjs/npm < 6.13.4
opensuse/leap 15.1
oracle/graalvm 19.3.0.2
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
Published Dec 13, 2019
Tracked Since Feb 18, 2026