Homepage
About Snyk

Unauthorized File Access Affecting node package, versions [12.0.0,12.14.0) [10.0.0,10.18.0) [8.0.0,8.17.0) [13.0.0,13.4.0)

0.0
low

Snyk CVSS

    Attack Complexity High
    User Interaction Required

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.18% (56th percentile)
Expand this section
NVD
6.5 medium
Expand this section
SUSE
7.7 high
Expand this section
Red Hat
4.8 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UPSTREAM-NODE-538287
  • published 12 Dec 2019
  • disclosed 11 Dec 2019
  • credit Daniel Ruf
Report a new vulnerability Found a mistake?

Introduced: 11 Dec 2019

CVE-2019-16775 Open this link in a new tab
CWE-552 Open this link in a new tab

How to fix?

Upgrade node to version 12.14.0, 10.18.0, 8.17.0, 13.4.0 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.