CVE-2019-16775: Unauthorized File Access in npm CLI before before version 6.13.3
First published: Fri Dec 13 2019(Updated: )
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/npm | <6.13.3 | 6.13.3 |
| redhat/nodejs | <8.17.0 | 8.17.0 |
| redhat/nodejs | <10.18.0 | 10.18.0 |
| redhat/nodejs | <12.14.0 | 12.14.0 |
| redhat/nodejs | <13.4.0 | 13.4.0 |
| Red Hat Enterprise Linux | =8.0 | |
| redhat enterprise Linux eus | =8.1 | |
| npm | <6.13.3 | |
| openSUSE | =15.1 | |
| Oracle GraalVM Enterprise Edition | =19.3.0.2 | |
| Oracle GraalVM Enterprise Edition | =20.3.3 | |
| Oracle GraalVM Enterprise Edition | =21.2.2 | |
| Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
- https://access.redhat.com/errata/RHEA-2020:0330
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0602
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.npmjs.com/advisories/1436
- https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1788307
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1788306
- https://access.redhat.com/security/cve/CVE-2019-10773
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/security/cve/cve-2019-16775
- https://access.redhat.com/errata/RHSA-2020:2625
- https://bugzilla.redhat.com/show_bug.cgi?id=1788305
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
Frequently Asked Questions
What is CVE-2019-16775?
CVE-2019-16775 is a vulnerability in versions of the npm CLI prior to 6.13.3 that allows for an arbitrary file write.
How does CVE-2019-16775 work?
CVE-2019-16775 allows packages to create symlinks to files outside of the node_modules folder through the bin field upon installation.
What is the severity of CVE-2019-16775?
CVE-2019-16775 has a severity value of 6.5, which is considered high.
How can I fix CVE-2019-16775?
To fix CVE-2019-16775, you should update to npm CLI version 6.13.3 or later.
Where can I find more information about CVE-2019-16775?
You can find more information about CVE-2019-16775 in the npm advisory and the Node.js blog post linked in the references.
- agent/weakness
- agent/type
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-16775
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/severity
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.1
- vendor/npmjs
- canonical/npm
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/19.3.0.2
- version/oracle graalvm enterprise edition/20.3.3
- version/oracle graalvm enterprise edition/21.2.2
- vendor/fedoraproject
- canonical/fedora
- version/fedora/31