What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2019-16776.

What is the severity of CVE-2019-16776?

The severity of CVE-2019-16776 is high (8.1).

Which versions of the npm CLI are affected?

Versions of the npm CLI prior to 6.13.3 are affected.

How can I fix CVE-2019-16776?

To fix CVE-2019-16776, make sure to update the npm CLI to version 6.13.3 or later.

Where can I find more information about CVE-2019-16776?

More information about CVE-2019-16776 can be found at the following references: [npm advisory](https://www.npmjs.com/advisories/1434), [Node.js blog](https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/), [npm blog](https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli).

Vulnerability/
CVE-2019-16776

high

8.1

CWE

22 20

12/12/2019

13/12/2019

5/8/2024

CVE-2019-16776: Unauthorized File Access in npm CLI before before version 6.13.3

First published: Thu Dec 12 2019(Updated: )

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to overwrite files that already exist on disk. References: <a href="https://www.npmjs.com/advisories/1434">https://www.npmjs.com/advisories/1434</a> <a href="https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/">https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/</a> <a href="https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli">https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli</a>

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/rh-nodejs10-nodejs	<0:10.19.0-1.el7	0:10.19.0-1.el7
redhat/rh-nodejs12-nodejs	<0:12.16.1-1.el7	0:12.16.1-1.el7
redhat/rh-nodejs8-nodejs	<0:8.17.0-2.el7	0:8.17.0-2.el7
Npmjs Npm	<6.13.3
openSUSE Leap	=15.1
Oracle GraalVM	=19.3.0.2
Fedoraproject Fedora	=31
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux Eus	=8.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-16776.
What is the severity of CVE-2019-16776?
The severity of CVE-2019-16776 is high (8.1).
Which versions of the npm CLI are affected?
Versions of the npm CLI prior to 6.13.3 are affected.
How can I fix CVE-2019-16776?
To fix CVE-2019-16776, make sure to update the npm CLI to version 6.13.3 or later.
Where can I find more information about CVE-2019-16776?
More information about CVE-2019-16776 can be found at the following references: [npm advisory](https://www.npmjs.com/advisories/1434), [Node.js blog](https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/), [npm blog](https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli).

collector/redhat-cve
collector/nvd-index
agent/type
agent/first-publish-date
agent/softwarecombine
agent/author
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-16776
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/title
agent/severity
agent/tags
agent/event
agent/description
package-manager/redhat
vendor/npmjs
canonical/npmjs npm
vendor/opensuse
canonical/opensuse leap
version/opensuse leap/15.1
vendor/oracle
canonical/oracle graalvm
version/oracle graalvm/19.3.0.2
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/31
vendor/redhat
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0
canonical/redhat enterprise linux eus
version/redhat enterprise linux eus/8.1