The vulnerability of the command-line tools for package managers NPM and Yarn allows a hacker to write arbitrary files.

Vulnerability in npm and Yarn link handling allows arbitrary file writes via symlinks outside node_modules or bin field.

Reporter	Title	Published	Views	Family All 107
IBM Security Bulletins	Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager HA	30 Jul 202121:03	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	8 Jun 202321:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Node.js	17 May 202320:51	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in npm affects IBM VM Recovery Manager DR	30 Jul 202121:12	–	ibm
IBM Security Bulletins	Security Bulletin: Medium/low severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)	27 Apr 202222:51	–	ibm
FreeBSD	NPM -- Multiple vulnerabilities	18 Dec 201900:00	–	freebsd
AlmaLinux	nodejs:12 enhancement update	4 Feb 202008:35	–	almalinux
AlmaLinux	Important: nodejs:10 security update	25 Feb 202007:57	–	almalinux
Tenable Nessus	CentOS 8 : nodejs:10 (CESA-2020:0579)	1 Feb 202100:00	–	nessus
Tenable Nessus	Fedora 31 : 1:libuv / 1:nodejs (2020-595ce5e3cc)	27 Jan 202000:00	–	nessus

Vulners

Node

node.js npmRange<6.13.3

node.js yarnRange<1.21.1

Source	Link
securitylab	www.securitylab.ru/news/503411.php
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-16775
github	www.github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
opennet	www.opennet.ru/opennews/art.shtml
blog	www.blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
web	www.web.nvd.nist.gov/view/vuln/detail

10 Feb 2020 00:00Current

7High risk

Vulners AI Score7

CVSS 27.1

CVSS 37.7

EPSS0.03266