CVE-2019-16776
Symlink Attack vulnerability in npm (npm)
What is CVE-2019-16776 About?
The npm CLI prior to version 6.13.3 is vulnerable to a symlink attack, allowing packages to create symlinks outside of the node_modules directory. This critical vulnerability enables a malicious package publisher to create arbitrary symlinks on a user's system upon installation, bypassing the --ignore-scripts option.
Affected Software
Technical Details
Versions of the npm CLI before 6.13.3 contain a vulnerability that allows for the creation of symlinks outside the intended node_modules directory. This occurs when a package's package.json file contains a specially crafted bin field. Upon installation of such a package, npm processes this bin entry and creates a symbolic link to an arbitrary file path specified within it, rather than restricting symlink creation to only within the node_modules folder. This mechanism can be used to link to any file accessible by the user running npm install. Critically, this attack vector also bypasses the --ignore-scripts install option, meaning users attempting to mitigate script execution risks are still exposed to symlink creation.
What is the Impact of CVE-2019-16776?
Successful exploitation may allow attackers to create or overwrite arbitrary files on the victim's system, potentially leading to unauthorized data modification, denial of service, or further system compromise.
What is the Exploitability of CVE-2019-16776?
Exploitation of this vulnerability requires a malicious npm package to be published and subsequently installed by a user. The complexity of creating the malicious package.json is low. No authentication to the target system is required beyond the user's ability to install npm packages. This is a local execution vulnerability, as the symlink is created on the user's local filesystem during package installation. Attackers must convince users to install the malicious package. The ease of publishing packages to npm and the common practice of installing third-party dependencies increases the likelihood of exploitation, as does the bypass of the --ignore-scripts option.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16776?
Available Upgrade Options
- npm
- <6.13.3 → Upgrade to 6.13.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2020:0579
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
- https://github.com/advisories/GHSA-x8qc-rrcw-4r46
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHEA-2020:0330
- https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://access.redhat.com/errata/RHSA-2020:0602
- https://www.oracle.com/security-alerts/cpujan2020.html
What are Similar Vulnerabilities to CVE-2019-16776?
Similar Vulnerabilities: CVE-2017-16086 , CVE-2018-1000631 , CVE-2018-11756 , CVE-2019-10747 , CVE-2021-23393
