NodeJS/npm/6.10.0-next.0


a package manager for JavaScript

https://www.npmjs.com/package/npm
Artistic-2.0

4 Security Vulnerabilities

npm Vulnerable to Global node_modules Binary Overwrite

Published date: 2019-12-13T15:39:32Z
CVE: CVE-2019-16777
Links:

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.

For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.4 or later.

Affected versions: ["1.1.25", "1.2.32", "1.3.2", "1.3.4", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.27", "1.2.28", "1.2.30", "1.2.31", "1.3.0", "1.3.1", "1.2.19", "1.1.70", "1.1.71", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.3.13", "1.3.14", "1.3.15", "1.3.16", "1.3.17", "1.3.18", "1.3.20", "1.3.21", "1.3.22", "1.3.23", "1.3.24", "1.3.25", "1.3.26", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.2.8000", "1.4.17", "1.4.18", "1.4.19", "1.5.0-alpha-0", "1.5.0-alpha-1", "1.4.20", "1.5.0-alpha-2", "1.4.21", "1.5.0-alpha-3", "1.5.0-alpha-4", "2.0.0-alpha-5", "1.4.22", "1.4.23", "2.0.0-alpha.6.0", "1.4.24", "2.0.0-alpha.6", "2.0.0-alpha.7", "2.0.0-beta.0", "1.4.25", "2.0.0-beta.1", "1.4.26", "2.0.0-beta.2", "1.4.27", "2.0.0-beta.3", "1.4.28", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.16", "2.1.17", "2.1.18", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.9.1", "2.10.0", "2.10.1", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "3.0.0", "2.12.1", "2.13.0", "3.1.0", "2.13.1", "3.1.1", "3.1.2", "2.13.2", "3.1.3", "2.13.3", "3.2.0", "2.13.4", "3.2.1", "2.13.5", "3.2.2", "2.14.0", "3.3.0", "2.14.1", "2.14.2", "3.3.1", "2.14.3", "3.3.2", "2.14.4", "3.3.3", "2.14.5", "3.3.4", "2.14.6", "3.3.5", "3.3.6", "2.14.7", "2.14.8", "3.3.7", "3.3.8", "3.3.9", "3.3.10", "2.14.9", "3.3.11", "1.4.29", "3.3.12", "2.14.10", "3.4.0", "3.4.1", "2.14.11", "2.14.12", "3.5.0", "3.5.1", "2.14.13", "2.14.14", "3.5.2", "2.14.15", "3.5.3", "3.5.4", "3.6.0", "2.14.16", "2.14.17", "3.7.0", "3.7.1", "3.7.2", "2.14.18", "3.7.3", "2.14.19", "2.14.20", "3.7.4", "3.7.5", "2.14.21", "3.8.0", "2.14.22", "3.8.1", "3.8.2", "2.15.0", "2.15.1", "3.8.3", "2.15.2", "3.8.4", "3.8.5", "3.8.6", "2.15.3", "3.8.7", "2.15.4", "3.8.8", "3.8.9", "2.15.5", "3.9.0", "3.9.1", "2.15.6", "3.9.2", "3.9.3", "3.9.4", "3.9.5", "3.9.6", "3.10.0", "2.15.7", "3.10.1", "2.15.8", "3.10.2", "3.10.3", "3.10.4", "2.15.9", "3.10.5", "3.10.6", "3.10.7", "2.15.10", "3.10.8", "2.15.11", "3.10.9", "4.0.0", "4.0.1", "4.0.2", "3.10.10", "4.0.3", "4.0.5", "4.1.0", "4.1.1", "4.1.2", "4.2.0", "4.3.0", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "2.15.12", "4.6.0", "4.6.1", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.1.0", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.4.2", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "5.8.0-next.0", "5.8.0", "6.0.0-next.0", "5.9.0-next.0", "5.10.0-next.0", "6.0.0-next.1", "6.0.0-next.2", "6.0.0", "6.0.1-next.0", "5.10.0-next.1", "6.0.1", "5.10.0", "6.1.0-next.0", "6.1.0", "6.2.0-next.0", "6.2.0-next.1", "6.2.0", "6.3.0-next.0", "6.3.0", "6.4.0-next.0", "6.4.0", "6.4.1-next.0", "6.4.1", "6.5.0-next.0", "6.5.0", "6.6.0-next.0", "6.6.0-next.1", "6.6.0", "6.7.0", "6.8.0-next.0", "6.8.0-next.1", "6.8.0-next.2", "6.8.0", "6.9.0-next.0", "6.9.0", "6.9.1-next.0", "6.9.2", "6.10.0-next.0", "6.10.0", "6.10.1-next.0", "6.10.1-next.1", "6.10.1-next.2", "6.10.1", "6.10.2-next.0", "6.10.2-next.1", "6.10.2-next.2", "6.10.2-next.3", "6.10.2", "6.10.3", "6.11.0", "6.11.1", "6.11.2", "6.11.3", "6.12.0-next.0", "6.12.0", "6.12.1", "6.13.0", "6.13.1", "6.13.2", "6.13.3"]
Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation: Update to version 10.9.0.

npm CLI exposing sensitive information through logs

Published date: 2020-07-07T18:56:16Z
CVE: CVE-2020-15095
Links:

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Affected versions: ["1.1.25", "1.2.32", "1.3.2", "1.3.4", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.27", "1.2.28", "1.2.30", "1.2.31", "1.3.0", "1.3.1", "1.2.19", "1.1.70", "1.1.71", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.3.13", "1.3.14", "1.3.15", "1.3.16", "1.3.17", "1.3.18", "1.3.20", "1.3.21", "1.3.22", "1.3.23", "1.3.24", "1.3.25", "1.3.26", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.2.8000", "1.4.17", "1.4.18", "1.4.19", "1.5.0-alpha-0", "1.5.0-alpha-1", "1.4.20", "1.5.0-alpha-2", "1.4.21", "1.5.0-alpha-3", "1.5.0-alpha-4", "2.0.0-alpha-5", "1.4.22", "1.4.23", "2.0.0-alpha.6.0", "1.4.24", "2.0.0-alpha.6", "2.0.0-alpha.7", "2.0.0-beta.0", "1.4.25", "2.0.0-beta.1", "1.4.26", "2.0.0-beta.2", "1.4.27", "2.0.0-beta.3", "1.4.28", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.16", "2.1.17", "2.1.18", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.9.1", "2.10.0", "2.10.1", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "3.0.0", "2.12.1", "2.13.0", "3.1.0", "2.13.1", "3.1.1", "3.1.2", "2.13.2", "3.1.3", "2.13.3", "3.2.0", "2.13.4", "3.2.1", "2.13.5", "3.2.2", "2.14.0", "3.3.0", "2.14.1", "2.14.2", "3.3.1", "2.14.3", "3.3.2", "2.14.4", "3.3.3", "2.14.5", "3.3.4", "2.14.6", "3.3.5", "3.3.6", "2.14.7", "2.14.8", "3.3.7", "3.3.8", "3.3.9", "3.3.10", "2.14.9", "3.3.11", "1.4.29", "3.3.12", "2.14.10", "3.4.0", "3.4.1", "2.14.11", "2.14.12", "3.5.0", "3.5.1", "2.14.13", "2.14.14", "3.5.2", "2.14.15", "3.5.3", "3.5.4", "3.6.0", "2.14.16", "2.14.17", "3.7.0", "3.7.1", "3.7.2", "2.14.18", "3.7.3", "2.14.19", "2.14.20", "3.7.4", "3.7.5", "2.14.21", "3.8.0", "2.14.22", "3.8.1", "3.8.2", "2.15.0", "2.15.1", "3.8.3", "2.15.2", "3.8.4", "3.8.5", "3.8.6", "2.15.3", "3.8.7", "2.15.4", "3.8.8", "3.8.9", "2.15.5", "3.9.0", "3.9.1", "2.15.6", "3.9.2", "3.9.3", "3.9.4", "3.9.5", "3.9.6", "3.10.0", "2.15.7", "3.10.1", "2.15.8", "3.10.2", "3.10.3", "3.10.4", "2.15.9", "3.10.5", "3.10.6", "3.10.7", "2.15.10", "3.10.8", "2.15.11", "3.10.9", "4.0.0", "4.0.1", "4.0.2", "3.10.10", "4.0.3", "4.0.5", "4.1.0", "4.1.1", "4.1.2", "4.2.0", "4.3.0", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "2.15.12", "4.6.0", "4.6.1", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.1.0", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.4.2", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "5.8.0-next.0", "5.8.0", "6.0.0-next.0", "5.9.0-next.0", "5.10.0-next.0", "6.0.0-next.1", "6.0.0-next.2", "6.0.0", "6.0.1-next.0", "5.10.0-next.1", "6.0.1", "5.10.0", "6.1.0-next.0", "6.1.0", "6.2.0-next.0", "6.2.0-next.1", "6.2.0", "6.3.0-next.0", "6.3.0", "6.4.0-next.0", "6.4.0", "6.4.1-next.0", "6.4.1", "6.5.0-next.0", "6.5.0", "6.6.0-next.0", "6.6.0-next.1", "6.6.0", "6.7.0", "6.8.0-next.0", "6.8.0-next.1", "6.8.0-next.2", "6.8.0", "6.9.0-next.0", "6.9.0", "6.9.1-next.0", "6.9.2", "6.10.0-next.0", "6.10.0", "6.10.1-next.0", "6.10.1-next.1", "6.10.1-next.2", "6.10.1", "6.10.2-next.0", "6.10.2-next.1", "6.10.2-next.2", "6.10.2-next.3", "6.10.2", "6.10.3", "6.11.0", "6.11.1", "6.11.2", "6.11.3", "6.12.0-next.0", "6.12.0", "6.12.1", "6.13.0", "6.13.1", "6.13.2", "6.13.3", "6.13.4", "6.13.5", "6.13.6", "6.13.7", "6.14.0", "6.14.1", "6.14.2", "6.14.3", "6.14.4", "6.14.5"]
Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation: Update to version 10.9.0.

Arbitrary File Write in npm

Published date: 2019-12-13T15:39:19Z
CVE: CVE-2019-16775
Links:

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to over write files that already exist on disk.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.3 or later.

Affected versions: ["1.1.25", "1.2.32", "1.3.2", "1.3.4", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.27", "1.2.28", "1.2.30", "1.2.31", "1.3.0", "1.3.1", "1.2.19", "1.1.70", "1.1.71", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.3.13", "1.3.14", "1.3.15", "1.3.16", "1.3.17", "1.3.18", "1.3.20", "1.3.21", "1.3.22", "1.3.23", "1.3.24", "1.3.25", "1.3.26", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.2.8000", "1.4.17", "1.4.18", "1.4.19", "1.5.0-alpha-0", "1.5.0-alpha-1", "1.4.20", "1.5.0-alpha-2", "1.4.21", "1.5.0-alpha-3", "1.5.0-alpha-4", "2.0.0-alpha-5", "1.4.22", "1.4.23", "2.0.0-alpha.6.0", "1.4.24", "2.0.0-alpha.6", "2.0.0-alpha.7", "2.0.0-beta.0", "1.4.25", "2.0.0-beta.1", "1.4.26", "2.0.0-beta.2", "1.4.27", "2.0.0-beta.3", "1.4.28", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.16", "2.1.17", "2.1.18", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.9.1", "2.10.0", "2.10.1", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "3.0.0", "2.12.1", "2.13.0", "3.1.0", "2.13.1", "3.1.1", "3.1.2", "2.13.2", "3.1.3", "2.13.3", "3.2.0", "2.13.4", "3.2.1", "2.13.5", "3.2.2", "2.14.0", "3.3.0", "2.14.1", "2.14.2", "3.3.1", "2.14.3", "3.3.2", "2.14.4", "3.3.3", "2.14.5", "3.3.4", "2.14.6", "3.3.5", "3.3.6", "2.14.7", "2.14.8", "3.3.7", "3.3.8", "3.3.9", "3.3.10", "2.14.9", "3.3.11", "1.4.29", "3.3.12", "2.14.10", "3.4.0", "3.4.1", "2.14.11", "2.14.12", "3.5.0", "3.5.1", "2.14.13", "2.14.14", "3.5.2", "2.14.15", "3.5.3", "3.5.4", "3.6.0", "2.14.16", "2.14.17", "3.7.0", "3.7.1", "3.7.2", "2.14.18", "3.7.3", "2.14.19", "2.14.20", "3.7.4", "3.7.5", "2.14.21", "3.8.0", "2.14.22", "3.8.1", "3.8.2", "2.15.0", "2.15.1", "3.8.3", "2.15.2", "3.8.4", "3.8.5", "3.8.6", "2.15.3", "3.8.7", "2.15.4", "3.8.8", "3.8.9", "2.15.5", "3.9.0", "3.9.1", "2.15.6", "3.9.2", "3.9.3", "3.9.4", "3.9.5", "3.9.6", "3.10.0", "2.15.7", "3.10.1", "2.15.8", "3.10.2", "3.10.3", "3.10.4", "2.15.9", "3.10.5", "3.10.6", "3.10.7", "2.15.10", "3.10.8", "2.15.11", "3.10.9", "4.0.0", "4.0.1", "4.0.2", "3.10.10", "4.0.3", "4.0.5", "4.1.0", "4.1.1", "4.1.2", "4.2.0", "4.3.0", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "2.15.12", "4.6.0", "4.6.1", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.1.0", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.4.2", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "5.8.0-next.0", "5.8.0", "6.0.0-next.0", "5.9.0-next.0", "5.10.0-next.0", "6.0.0-next.1", "6.0.0-next.2", "6.0.0", "6.0.1-next.0", "5.10.0-next.1", "6.0.1", "5.10.0", "6.1.0-next.0", "6.1.0", "6.2.0-next.0", "6.2.0-next.1", "6.2.0", "6.3.0-next.0", "6.3.0", "6.4.0-next.0", "6.4.0", "6.4.1-next.0", "6.4.1", "6.5.0-next.0", "6.5.0", "6.6.0-next.0", "6.6.0-next.1", "6.6.0", "6.7.0", "6.8.0-next.0", "6.8.0-next.1", "6.8.0-next.2", "6.8.0", "6.9.0-next.0", "6.9.0", "6.9.1-next.0", "6.9.2", "6.10.0-next.0", "6.10.0", "6.10.1-next.0", "6.10.1-next.1", "6.10.1-next.2", "6.10.1", "6.10.2-next.0", "6.10.2-next.1", "6.10.2-next.2", "6.10.2-next.3", "6.10.2", "6.10.3", "6.11.0", "6.11.1", "6.11.2", "6.11.3", "6.12.0-next.0", "6.12.0", "6.12.1", "6.13.0", "6.13.1", "6.13.2"]
Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation: Update to version 10.9.0.

npm symlink reference outside of node_modules

Published date: 2019-12-13T15:39:26Z
CVE: CVE-2019-16776
Links:

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of nodemodules. It is possible for packages to create symlinks to files outside of the`nodemodulesfolder through thebinfield upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running thenpm install` are affected.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.3 or later.

Affected versions: ["1.1.25", "1.2.32", "1.3.2", "1.3.4", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.27", "1.2.28", "1.2.30", "1.2.31", "1.3.0", "1.3.1", "1.2.19", "1.1.70", "1.1.71", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.3.13", "1.3.14", "1.3.15", "1.3.16", "1.3.17", "1.3.18", "1.3.20", "1.3.21", "1.3.22", "1.3.23", "1.3.24", "1.3.25", "1.3.26", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.2.8000", "1.4.17", "1.4.18", "1.4.19", "1.5.0-alpha-0", "1.5.0-alpha-1", "1.4.20", "1.5.0-alpha-2", "1.4.21", "1.5.0-alpha-3", "1.5.0-alpha-4", "2.0.0-alpha-5", "1.4.22", "1.4.23", "2.0.0-alpha.6.0", "1.4.24", "2.0.0-alpha.6", "2.0.0-alpha.7", "2.0.0-beta.0", "1.4.25", "2.0.0-beta.1", "1.4.26", "2.0.0-beta.2", "1.4.27", "2.0.0-beta.3", "1.4.28", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.16", "2.1.17", "2.1.18", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.9.1", "2.10.0", "2.10.1", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "3.0.0", "2.12.1", "2.13.0", "3.1.0", "2.13.1", "3.1.1", "3.1.2", "2.13.2", "3.1.3", "2.13.3", "3.2.0", "2.13.4", "3.2.1", "2.13.5", "3.2.2", "2.14.0", "3.3.0", "2.14.1", "2.14.2", "3.3.1", "2.14.3", "3.3.2", "2.14.4", "3.3.3", "2.14.5", "3.3.4", "2.14.6", "3.3.5", "3.3.6", "2.14.7", "2.14.8", "3.3.7", "3.3.8", "3.3.9", "3.3.10", "2.14.9", "3.3.11", "1.4.29", "3.3.12", "2.14.10", "3.4.0", "3.4.1", "2.14.11", "2.14.12", "3.5.0", "3.5.1", "2.14.13", "2.14.14", "3.5.2", "2.14.15", "3.5.3", "3.5.4", "3.6.0", "2.14.16", "2.14.17", "3.7.0", "3.7.1", "3.7.2", "2.14.18", "3.7.3", "2.14.19", "2.14.20", "3.7.4", "3.7.5", "2.14.21", "3.8.0", "2.14.22", "3.8.1", "3.8.2", "2.15.0", "2.15.1", "3.8.3", "2.15.2", "3.8.4", "3.8.5", "3.8.6", "2.15.3", "3.8.7", "2.15.4", "3.8.8", "3.8.9", "2.15.5", "3.9.0", "3.9.1", "2.15.6", "3.9.2", "3.9.3", "3.9.4", "3.9.5", "3.9.6", "3.10.0", "2.15.7", "3.10.1", "2.15.8", "3.10.2", "3.10.3", "3.10.4", "2.15.9", "3.10.5", "3.10.6", "3.10.7", "2.15.10", "3.10.8", "2.15.11", "3.10.9", "4.0.0", "4.0.1", "4.0.2", "3.10.10", "4.0.3", "4.0.5", "4.1.0", "4.1.1", "4.1.2", "4.2.0", "4.3.0", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "2.15.12", "4.6.0", "4.6.1", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.1.0", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.4.2", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "5.8.0-next.0", "5.8.0", "6.0.0-next.0", "5.9.0-next.0", "5.10.0-next.0", "6.0.0-next.1", "6.0.0-next.2", "6.0.0", "6.0.1-next.0", "5.10.0-next.1", "6.0.1", "5.10.0", "6.1.0-next.0", "6.1.0", "6.2.0-next.0", "6.2.0-next.1", "6.2.0", "6.3.0-next.0", "6.3.0", "6.4.0-next.0", "6.4.0", "6.4.1-next.0", "6.4.1", "6.5.0-next.0", "6.5.0", "6.6.0-next.0", "6.6.0-next.1", "6.6.0", "6.7.0", "6.8.0-next.0", "6.8.0-next.1", "6.8.0-next.2", "6.8.0", "6.9.0-next.0", "6.9.0", "6.9.1-next.0", "6.9.2", "6.10.0-next.0", "6.10.0", "6.10.1-next.0", "6.10.1-next.1", "6.10.1-next.2", "6.10.1", "6.10.2-next.0", "6.10.2-next.1", "6.10.2-next.2", "6.10.2-next.3", "6.10.2", "6.10.3", "6.11.0", "6.11.1", "6.11.2", "6.11.3", "6.12.0-next.0", "6.12.0", "6.12.1", "6.13.0", "6.13.1", "6.13.2"]
Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation: Update to version 10.9.0.

553 Other Versions

Version License Security Released
8.0.0 Artistic-2.0 1 2021-10-07 - 20:11 about 3 years
7.24.2 Artistic-2.0 1 2021-10-04 - 17:16 about 3 years
7.24.1 Artistic-2.0 1 2021-09-23 - 20:36 about 3 years
7.24.0 Artistic-2.0 1 2021-09-16 - 21:52 about 3 years
7.23.0 Artistic-2.0 1 2021-09-09 - 19:53 about 3 years
7.22.0 Artistic-2.0 1 2021-09-02 - 20:00 about 3 years
7.21.1 Artistic-2.0 1 2021-08-26 - 20:19 about 3 years
7.21.0 Artistic-2.0 1 2021-08-19 - 17:26 about 3 years
7.20.6 Artistic-2.0 1 2021-08-12 - 19:47 about 3 years
7.20.5 Artistic-2.0 1 2021-08-05 - 20:41 about 3 years
7.20.4 Artistic-2.0 1 2021-08-05 - 19:17 about 3 years
7.20.3 Artistic-2.0 1 2021-07-29 - 16:04 over 3 years
7.20.2 Artistic-2.0 1 2021-07-27 - 16:25 over 3 years
7.20.1 Artistic-2.0 1 2021-07-22 - 20:27 over 3 years
7.20.0 Artistic-2.0 1 2021-07-15 - 19:47 over 3 years
7.19.1 Artistic-2.0 1 2021-07-01 - 17:26 over 3 years
7.19.0 Artistic-2.0 1 2021-06-24 - 21:31 over 3 years
7.18.1 Artistic-2.0 1 2021-06-17 - 18:54 over 3 years
7.18.0 Artistic-2.0 1 2021-06-17 - 18:12 over 3 years
7.17.0 Artistic-2.0 1 2021-06-10 - 20:39 over 3 years
7.16.0 Artistic-2.0 1 2021-06-03 - 19:46 over 3 years
7.15.1 Artistic-2.0 1 2021-05-31 - 22:41 over 3 years
7.15.0 Artistic-2.0 1 2021-05-27 - 20:25 over 3 years
7.14.0 Artistic-2.0 1 2021-05-20 - 19:28 over 3 years
7.13.0 Artistic-2.0 1 2021-05-13 - 20:06 over 3 years
7.12.1 Artistic-2.0 1 2021-05-10 - 21:26 over 3 years
7.12.0 Artistic-2.0 1 2021-05-06 - 19:53 over 3 years
7.11.2 Artistic-2.0 1 2021-04-29 - 19:51 over 3 years
7.11.1 Artistic-2.0 1 2021-04-23 - 22:46 over 3 years
7.11.0 Artistic-2.0 1 2021-04-23 - 04:41 over 3 years
7.10.0 Artistic-2.0 1 2021-04-15 - 17:59 over 3 years
7.9.0 Artistic-2.0 1 2021-04-08 - 17:44 over 3 years
7.8.0 Artistic-2.0 2021-04-01 - 20:05 over 3 years
7.7.6 Artistic-2.0 2021-03-29 - 19:23 over 3 years
7.7.5 Artistic-2.0 2021-03-25 - 22:05 over 3 years
7.7.4 Artistic-2.0 2021-03-24 - 21:19 over 3 years
7.7.3 Artistic-2.0 2021-03-24 - 18:15 over 3 years
7.7.2 Artistic-2.0 2021-03-24 - 17:16 over 3 years
7.7.1 Artistic-2.0 2021-03-24 - 15:02 over 3 years
7.7.0 Artistic-2.0 2021-03-23 - 16:54 over 3 years
7.6.3 Artistic-2.0 2021-03-11 - 21:22 over 3 years
7.6.2 Artistic-2.0 2021-03-09 - 19:29 over 3 years
7.6.1 Artistic-2.0 2021-03-04 - 22:12 over 3 years
7.6.0 Artistic-2.0 2021-02-25 - 18:35 over 3 years
7.5.6 Artistic-2.0 2021-02-22 - 20:58 over 3 years
7.5.5 Artistic-2.0 2021-02-22 - 17:51 over 3 years
7.5.4 Artistic-2.0 2021-02-12 - 18:13 over 3 years
7.5.3 Artistic-2.0 2021-02-08 - 20:53 over 3 years
7.5.2 Artistic-2.0 2021-02-02 - 17:39 over 3 years
7.5.1 Artistic-2.0 2021-02-01 - 20:55 over 3 years
7.5.0 Artistic-2.0 2021-01-28 - 21:44 almost 4 years
7.4.3 Artistic-2.0 2021-01-21 - 17:09 almost 4 years
7.4.2 Artistic-2.0 2021-01-15 - 20:57 almost 4 years
7.4.1 Artistic-2.0 2021-01-14 - 22:10 almost 4 years
7.4.0 Artistic-2.0 2021-01-07 - 20:56 almost 4 years
7.3.0 Artistic-2.0 2020-12-18 - 20:34 almost 4 years
7.2.0 Artistic-2.0 2020-12-15 - 19:47 almost 4 years
7.1.2 Artistic-2.0 2020-12-11 - 20:50 almost 4 years
7.1.1 Artistic-2.0 2020-12-09 - 00:56 almost 4 years
7.1.0 Artistic-2.0 2020-12-04 - 19:57 almost 4 years
7.0.15 Artistic-2.0 2020-11-27 - 17:03 almost 4 years
7.0.14 Artistic-2.0 2020-11-23 - 20:45 almost 4 years
7.0.13 Artistic-2.0 2020-11-20 - 20:11 almost 4 years
7.0.12 Artistic-2.0 2020-11-17 - 20:18 almost 4 years
7.0.11 Artistic-2.0 2020-11-13 - 19:38 almost 4 years
7.0.10 Artistic-2.0 2020-11-10 - 19:40 almost 4 years
7.0.9 Artistic-2.0 2020-11-06 - 20:00 almost 4 years
7.0.8 Artistic-2.0 2020-11-03 - 23:12 almost 4 years
7.0.7 Artistic-2.0 2020-10-30 - 18:47 about 4 years
7.0.6 Artistic-2.0 2020-10-27 - 18:59 about 4 years
7.0.5 Artistic-2.0 2020-10-23 - 19:09 about 4 years
7.0.4 Artistic-2.0 2020-10-23 - 18:47 about 4 years
7.0.3 Artistic-2.0 2020-10-20 - 18:45 about 4 years
7.0.2 Artistic-2.0 2020-10-16 - 20:52 about 4 years
7.0.1 Artistic-2.0 2020-10-15 - 23:29 about 4 years
7.0.0 Artistic-2.0 2020-10-13 - 04:57 about 4 years
7.0.0-rc.4 Artistic-2.0 2020-10-09 - 18:51 about 4 years
7.0.0-rc.3 Artistic-2.0 2020-10-06 - 18:58 about 4 years
7.0.0-rc.2 Artistic-2.0 2020-10-02 - 23:59 about 4 years
7.0.0-rc.1 Artistic-2.0 2020-10-02 - 21:23 about 4 years
7.0.0-rc.0 Artistic-2.0 2020-10-01 - 14:45 about 4 years
7.0.0-beta.13 Artistic-2.0 2020-09-29 - 18:59 about 4 years
7.0.0-beta.12 Artistic-2.0 2020-09-22 - 19:03 about 4 years
7.0.0-beta.11 Artistic-2.0 2020-09-16 - 16:01 about 4 years
7.0.0-beta.10 Artistic-2.0 2020-09-08 - 17:32 about 4 years
7.0.0-beta.9 Artistic-2.0 2020-09-04 - 19:18 about 4 years
7.0.0-beta.8 Artistic-2.0 2020-09-01 - 19:25 about 4 years
7.0.0-beta.7 Artistic-2.0 2020-08-25 - 18:53 about 4 years
7.0.0-beta.6 Artistic-2.0 2020-08-21 - 18:48 about 4 years
7.0.0-beta.5 Artistic-2.0 2020-08-18 - 19:08 about 4 years
7.0.0-beta.4 Artistic-2.0 2020-08-11 - 16:06 about 4 years
7.0.0-beta.3 Artistic-2.0 2020-08-10 - 21:50 about 4 years
7.0.0-beta.2 Artistic-2.0 2020-08-07 - 18:38 about 4 years
7.0.0-beta.1 Artistic-2.0 2020-08-05 - 19:26 about 4 years
7.0.0-beta.0 Artistic-2.0 2020-08-04 - 20:09 about 4 years
6.14.18 Artistic-2.0 2022-12-21 - 20:27 almost 2 years
6.14.17 Artistic-2.0 2022-04-28 - 20:38 over 2 years
6.14.16 Artistic-2.0 2022-01-19 - 20:41 almost 3 years
6.14.15 Artistic-2.0 2021-08-24 - 02:53 about 3 years
6.14.14 Artistic-2.0 2021-07-27 - 19:19 over 3 years