CVE-2018-7408

Name of the Vulnerable Software and Affected Versions npm versions 5.7.0

Description The issue is related to the correctMkdir component of the npm package manager, which incorrectly assigns permissions for a critical resource. This could allow an attacker to bypass existing security restrictions. The problem might enable local users to bypass intended filesystem access restrictions because the ownerships of /etc and /usr directories are being changed unexpectedly.

Recommendations For npm version 5.7.0, consider restricting access to critical resources until a patch is available. As a temporary workaround, avoid using the correctMkdir component to minimize the risk of exploitation.