CVE-2019-16777
Arbitrary File Overwrite in npm CLI
In short
npm before version 6.13.4 allows packages to overwrite existing programs installed on your computer. An attacker can replace legitimate tools with malicious versions without your knowledge.
Technical detail
CWE-22 path traversal vulnerability in npm CLI (<6.13.4) allows arbitrary file overwrite of globally-installed binaries during package installation. The vulnerability persists despite --ignore-scripts flag and can be exploited during normal package installation workflows, enabling binary substitution attacks.
Summary generated and translated by AI from the official description.
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products
npm · cliWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.htmlhttps://access.redhat.com/errata/RHEA-2020:0330https://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0602https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-clihttps://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjrhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://security.gentoo.org/glsa/202003-48https://www.oracle.com/security-alerts/cpujan2020.html