Lucene search
Mitar, Will White & the team at Mapbox, Max Motovilov, and James TaylorNODEJS:98HistoryApr 01, 2016 - 4:57 p.m.
npm Token Leak
2016-04-0116:57:21
Mitar, Will White & the team at Mapbox, Max Motovilov, and James Taylor
www.npmjs.com
25
0.002 Low
EPSS
Percentile
61.9%
Overview
Affected versions of the npm package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user’s active registry.
An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user’s token.
This compromised token could be used to do anything that the user could do, including publishing new packages.
Recommendation
- Update npm with
npm install npm@latest -g - Revoke your Tokens
- Enable Two-Factor Authentication
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| npm | le | 2.15.0 || >= 3.0.0 <= 3.8.2 |
Related
debiancve
debiancve
CVE-2016-3956
2016-07-02 14:59:19
openvas
openvas
Ubuntu: Security Advisory (USN-4785-1)
2023-01-27 00:00:00
osv
osv
npm vulnerability
2021-03-15 21:03:23
npm Token Leak in npm
2018-07-31 22:58:35
ubuntu
ubuntu
npm vulnerability
2021-03-15 00:00:00
ibm
ibm
nessus
nessus
Ubuntu 16.04 ESM / 18.04 ESM : npm vulnerability (USN-4785-1)
2023-10-16 00:00:00
cvelist
cvelist
CVE-2016-3956
2016-07-02 14:00:00
nvd
nvd
CVE-2016-3956
2016-07-02 14:59:19
CVE-2016-1000014
2016-10-06 14:59:17
github
github
npm Token Leak in npm
2018-07-31 22:58:35
cve
cve
CVE-2016-3956
2016-07-02 14:59:19
CVE-2016-1000014
2016-10-06 14:59:17
ubuntucve
ubuntucve
CVE-2016-3956
2016-07-02 00:00:00
prion
prion
Authorization
2016-07-02 14:59:00
Design/Logic Flaw
2016-10-06 14:59:00