CVE-2019-16776

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: npm CLI versions prior to 6.13.3

Description: The issue exists due to incorrect restriction of the path name to a directory with limited access. Exploitation may allow a remote attacker to write arbitrary files by creating a symbolic link to files outside the node modules directory or by manipulating the bin field in package.json. This behavior is still possible through install scripts and bypasses the --ignore-scripts install option. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed.

Recommendations: Upgrade to version 6.13.3 or later. As a temporary workaround, consider restricting access to the bin field in package.json to minimize the risk of exploitation. Avoid using the bin field in package.json until the issue is resolved.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALEA-2020:0330

ALSA-2020:0579

ALT-PU-2019-3385

ALT-PU-2020-2196

BDU:2019-04690

CESA-2020_0579

CVE-2019-16776

GHSA-X8QC-RRCW-4R46

MGASA-2020-0372

OPENSUSE-SU-2020:0059-1

OPENSUSE-SU-2020_0059-1

RHSA-2020:0573

RHSA-2020:0579

RHSA-2020:0597

RHSA-2020:0602

RHSA-2020:2625

RHSA-2020_0579

RLSA-2020:0579

SUSE-SU-2020:0043-1

SUSE-SU-2020:0063-1

SUSE-SU-2020:0104-1

SUSE-SU-2020:0247-1

SUSE-SU-2020:0429-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

Npm Cli

CVE-2019-16776

Weakness Enumeration

Related Identifiers

Affected Products

References · 81