CVE-2019-16775 — UNIX Symbolic Link (Symlink) Following in CLI
Severity
6.5MEDIUMNVD
CNA7.7
EPSS
0.7%
top 28.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 13
Latest updateJan 6
Description
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages6 packages
Also affects: Fedora 31, Enterprise Linux 8.0, 8.1
🔴Vulnerability Details
4📋Vendor Advisories
2💬Community
3Bugzilla▶
CVE-2019-16775 nodejs: Symlink reference outside of node_modules folder through the bin field upon installation [fedora-all]↗2020-01-06
Bugzilla▶
CVE-2019-16775 nodejs: npm: Symlink reference outside of node_modules folder through the bin field upon installation [epel-all]↗2020-01-06
Bugzilla▶
CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation↗2020-01-06