CVE-2019-16775
Arbitrary File Write vulnerability in npm (npm)
What is CVE-2019-16775 About?
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write, allowing attackers to create files outside the intended `node_modules` folder. This could lead to system compromise or privilege escalation, having a high impact. Exploitation is relatively easy if an attacker can publish a malicious package.
Affected Software
Technical Details
The vulnerability in npm CLI versions prior to 6.13.3 is an Arbitrary File Write, occurring due to improper handling of the bin field in package.json. The npm CLI fails to restrict file creation to within the node_modules directory when processing the bin field during package installation. A malicious package publisher can craft a package.json with a bin field containing paths that escape the node_modules directory (e.g., using ../). When a user installs such a package, npm will attempt to create files or symlinks at these arbitrary locations on the user's system. While it's noted that existing files cannot be overwritten and only files accessible to the user running npm install can be affected, this still allows for the creation of new files in sensitive locations, potentially leading to system compromise or privilege escalation.
What is the Impact of CVE-2019-16775?
Successful exploitation may allow attackers to create arbitrary files on the user's system outside of the intended package directory, potentially leading to system compromise, privilege escalation, or integrity violations.
What is the Exploitability of CVE-2019-16775?
Exploitation of this vulnerability is of low complexity. The primary prerequisite is that a user installs a malicious npm package containing a crafted bin field. No authentication is required by npm itself; the vulnerability occurs during the npm install command. The user executing the command implicitly provides the necessary privileges to write files to locations they have access to. This is a local attack in the sense that the user must execute the npm install command, but an attacker can entice users to install their malicious package. Critically, it only allows creation of new files and cannot overwrite existing ones, and the files can only be written to locations the user running npm install has permissions for. The vulnerability bypasses the --ignore-scripts option. The likelihood of exploitation increases if users frequently install packages from untrusted sources or if an attacker can publish a malicious package with a seemingly legitimate name to the npm registry.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16775?
Available Upgrade Options
- npm
- <6.13.3 → Upgrade to 6.13.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://access.redhat.com/errata/RHSA-2020:0579
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://github.com/npm/cli
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHEA-2020:0330
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://osv.dev/vulnerability/GHSA-m6cx-g6qm-p2cx
- https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
What are Similar Vulnerabilities to CVE-2019-16775?
Similar Vulnerabilities: CVE-2019-16777 , CVE-2018-16487 , CVE-2022-38647 , CVE-2022-37601 , CVE-2023-38646
