npm@2.13.2 vulnerabilities

a package manager for JavaScript

Direct Vulnerabilities

Known vulnerabilities in the npm package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insertion of Sensitive Information into Log File

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

How to fix Insertion of Sensitive Information into Log File?

Upgrade npm to version 6.14.6 or higher.

<6.14.6
  • H
Arbitrary File Write

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Write?

Upgrade npm to version 6.13.3 or higher.

<6.13.3
  • L
Unauthorized File Access

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Unauthorized File Access?

Upgrade npm to version 6.13.3 or higher.

<6.13.3
  • H
Arbitrary File Overwrite

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Overwrite?

Upgrade npm to version 6.13.4 or higher.

<6.13.4
  • M
Access Restriction Bypass

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

How to fix Access Restriction Bypass?

Upgrade npm to version 5.7.1 or higher.

<5.7.1
  • M
npm Token Leak

This vulnerability could cause the unintentional leakage of bearer tokens. A design flaw in npm's registry allows an attacker to set up an HTTP server that could collect authentication information, and then use this authentication information to impersonate the users whose tokens they collected. The attacker could do anything the compromised users could do, including publishing new versions of packages.

How to fix npm Token Leak?

  1. Upgrade npm to ">= 3.8.3 || >= 2.15.1"
  2. Invalidate your current npm bearer tokens

<2.15.1 >=3.0.0 <3.8.4