ProHoster > Blog > internet news > Vulnerability in NPM allowing modification of arbitrary files during package installation
Vulnerability in NPM allowing modification of arbitrary files during package installation
In an update to the NPM 6.13.4 package manager that ships with Node.js and is used to distribute JavaScript modules, three vulnerabilities (, ΠΈ ) that allow you to modify or overwrite arbitrary system files when installing a package prepared by an attacker. As a security workaround, you can install with the "--ignore-scripts" option, which prohibits the execution of built-in handler packages. The NPM developers analyzed the packages available in the repository and did not find any traces of using the identified problems to carry out attacks.
CVE-2019-16777 in releases prior to 6.13.4 and allows you to overwrite system executables during a global package installation. You can only change files in the target directory where the executable files are installed (usually /usr/local/bin).
ΠΈ appear in releases prior to 6.13.3 and allow writing an arbitrary file by creating a symbolic link to files outside the modules directory (node_modules) or by manipulating the bin field in package.json (paths with "/../" were allowed in the bin field).
