npm is vulnerable to unauthorized file access. The vulnerability exists as it was possible to create symlinks to files, using the value of bin
, to access files out of the node_modules
folder.
lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
access.redhat.com/errata/RHEA-2020:0330
access.redhat.com/errata/RHSA-2020:0573
access.redhat.com/errata/RHSA-2020:0579
access.redhat.com/errata/RHSA-2020:0597
access.redhat.com/errata/RHSA-2020:0602
blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
github.com/npm/cli/commit/19ce061a2ee165d8de862c8f0f733c222846b9e1
github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
lists.fedoraproject.org/archives/list/[email protected]/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
www.npmjs.com/advisories/1436
www.oracle.com/security-alerts/cpujan2020.html
www.oracle.com/security-alerts/cpuoct2021.html