CVE-2021-39135

CVE-2021-39135 affects the Node.js npm arborist module, which builds dependency trees and writes into node_modules. The issue arises if the root project’s node_modules folder (or a dependency’s) is replaced with a symbolic link, allowing a local attacker to write package dependencies to an arbitr...

CVE-2021-39135

@npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder...

GHSA-2H3H-Q99F-3FHC @npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following

Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and t...

GHSA-GMW6-94GG-2RC2 UNIX Symbolic Link (Symlink) Following in @npmcli/arborist

Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and t...

GHSA-V45M-2WCP-GG98 Global node_modules Binary Overwrite in bin-links

Versions of bin-links prior to 1.1.6 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packag...

Global node_modules Binary Overwrite in bin-links

Versions of bin-links prior to 1.1.6 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packag...

GHSA-2MJ8-PJ3J-H362 Symlink reference outside of node_modules in bin-links

Versions of bin-links prior to 1.1.5 are vulnerable to a Symlink reference outside of nodemodules. It is possible to create symlinks to files outside of thenodemodules folder through the bin field. This may allow attackers to access unauthorized files. Recommendation Upgrade to version 1.1.5 or...

Symlink reference outside of node_modules in bin-links

Versions of bin-links prior to 1.1.5 are vulnerable to a Symlink reference outside of nodemodules. It is possible to create symlinks to files outside of thenodemodules folder through the bin field. This may allow attackers to access unauthorized files. Recommendation Upgrade to version 1.1.5 or...

GHSA-GQF6-75V8-VR26 Arbitrary File Write in bin-links

Versions of bin-links prior to 1.1.5 are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended nodemodules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite fil...

npm: Symlink reference outside of node_modules folder through the bin field upon installation

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package...

FreeBSD : NPM -- Multiple vulnerabilities (2a3588b4-ab12-11ea-a051-001b217b3468)

NPM reports : Global nodemodules Binary Overwrite Symlink reference outside of nodemodules Arbitrary File Write C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2020 Jacques Vidrine and...

NPM -- Multiple vulnerabilities

NPM reports: Global nodemodules Binary Overwrite Symlink reference outside of nodemodules Arbitrary File Write...

Unauthorized File Access

yarn is vulnerable to unauthorized file overwrite. The vulnerability exists as it was possible to create symlinks to files, using the value of bin, to access files out of the nodemodules folder...

npm Vulnerable to Global node_modules Binary Overwrite

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent...

GHSA-4328-8HGF-7WJR npm Vulnerable to Global node_modules Binary Overwrite

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent...

npm symlink reference outside of node_modules

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of nodemodules. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would...

Unauthorized File Access

bin-links is vulnerable to unauthorized file access. The vulnerability exists as it was possible to use the bin field to create symlinks to files outside the nodemodules folder. Note: The vulnerability is fixed in 1.1.4, but an upgrade to 1.1.5 is favourable due to a bug in 1.1.4...

Global node_modules Binary Overwrite

Overview Versions of bin-links prior to 1.1.6 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs ...

Global node_modules Binary Overwrite

Overview Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any...

Symlink reference outside of node_modules

Overview Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of nodemodules. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the package.json bin fie...