CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29244 – npm packing does not respect root-level ignore files in workspaces
https://notcve.org/view.php?id=CVE-2022-29244
13 Jun 2022 — npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 3CVE-2021-43616 – npm: npm ci succeeds when package-lock.json doesn't match package.json
https://notcve.org/view.php?id=CVE-2021-43616
13 Nov 2021 — The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependenc... • https://github.com/icatalina/CVE-2021-43616 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-39135 – UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
https://notcve.org/view.php?id=CVE-2021-39135
31 Aug 2021 — `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, ... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 8.2EPSS: 1%CPEs: 5EXPL: 0CVE-2021-39134 – UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
https://notcve.org/view.php?id=CVE-2021-39134
31 Aug 2021 — `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multi... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-178: Improper Handling of Case Sensitivity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7754 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7754
27 Oct 2020 — This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Esto afecta al paquete npm-user-validate versiones anteriores a 1.0.1. La expresión regular que comprueba los correos electrónicos de los usuarios tardó exponencialmente más en procesar cadenas de entrada largas que comienzan con caracteres @ Node.js is a software development platform for building fast and scalable network app... • https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 1CVE-2020-15095 – Sensitive information exposure through logs in npm cli
https://notcve.org/view.php?id=CVE-2020-15095
07 Jul 2020 — Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposición de información por medio de archivos de registro. La CLI admite las URL como "://[[:]@][:][:][/]". • https://github.com/ossf-cve-benchmark/CVE-2020-15095 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16777 – Arbitrary File Overwrite in npm CLI
https://notcve.org/view.php?id=CVE-2019-16777
13 Dec 2019 — Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using t... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16776 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16776
13 Dec 2019 — Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2019-16775 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16775
13 Dec 2019 — Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignor... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7408
https://notcve.org/view.php?id=CVE-2018-7408
22 Feb 2018 — An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. Se ha descubierto un problema en un prelanzamiento de npm 5.7.0 2018-02-21 (ma... • http://blog.npmjs.org/post/171169301000/v571 • CWE-732: Incorrect Permission Assignment for Critical Resource •