#VU23888 Symlink following in NPM


Published: 2020-01-02 | Updated: 2020-02-24

Vulnerability identifier: #VU23888

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16775

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NPM
Web applications / CMS

Vendor: isaacs

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the node_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.

Mitigation
Install update from vendor's website.

Vulnerable software versions

NPM: 1.1.25 - 6.13.2

External links
http://www.npmjs.com/advisories/1436

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM InfoSphere Information Server
Multiple vulnerabilities in IBM VM Recovery Manager DR
Red Hat Software Collections update for rh-nodejs10-nodejs
Red Hat Software Collections security update for rh-nodejs12-nodejs
Red Hat 8 update for nodejs:10
Red Hat update for nodejs:10 module
Red Hat Enterprise Linux 8 update for nodejs:12
OpenSUSE Linux update for nodejs8
Multiple vulnerabilities in npm package for Node.js