CVE-2019-16777
Binary Overwrite vulnerability in npm (npm)
What is CVE-2019-16777 About?
This vulnerability in versions of the npm CLI prior to 6.13.4 allows a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries from being overwritten by subsequent package installations, which can lead to integrity compromise or unexpected behavior. Exploitation is relatively easy if an attacker can publish a package with a conflicting binary name.
Affected Software
Technical Details
The vulnerability in npm CLI versions prior to 6.13.4 resides in its package installation mechanism, specifically concerning globally-installed packages. The npm CLI fails to adequately prevent an existing globally-installed binary from being overwritten by a new package that also creates a binary with the same name. When a package is installed globally, its binaries are typically symlinked into a system-wide PATH-accessible directory (e.g., /usr/local/bin). If a user later installs another package globally containing a binary with an identical name, npm will overwrite the symlink pointing to the first package's binary with a new symlink to the second package's binary. While this does not affect system-level binaries, it can lead to confusion, unexpected behavior, or even a form of integrity compromise if an attacker can trick a user into installing a malicious package that overwrites a legitimate, trusted binary.
What is the Impact of CVE-2019-16777?
Successful exploitation may allow attackers to replace legitimate executables with malicious ones in the global `node_modules` directory, potentially leading to unexpected program behavior, execution of arbitrary code, or denial of service.
What is the Exploitability of CVE-2019-16777?
Exploitation of this vulnerability is of low complexity. The primary prerequisite is that a user installs two different npm packages globally, where both define a binary with the same name. No authentication is required, as the vulnerability occurs during the npm install -g operation performed by the user. The user executing the command implicitly provides the necessary privileges. This is a local attack in the sense that the user must be running npm install -g, but an attacker could persuade a user to install a malicious package. The vulnerability specifically affects binaries put into the global node_modules directory and does not overwrite system binaries or affect local installations. The likelihood of exploitation increases if users frequently install packages globally, or if an attacker can publish a package with a common binary name in npm registry.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-16777?
Available Upgrade Options
- npm
- <6.13.4 → Upgrade to 6.13.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.gentoo.org/glsa/202003-48
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
- https://access.redhat.com/errata/RHSA-2020:0579
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
- https://github.com/npm/cli
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHEA-2020:0330
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://www.npmjs.com/advisories/1437
What are Similar Vulnerabilities to CVE-2019-16777?
Similar Vulnerabilities: CVE-2019-16775 , CVE-2018-16487 , CVE-2022-37601 , CVE-2022-38647 , CVE-2023-38646
