Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4328-8hgf-7wjr

GitHub Security Advisory

npm Vulnerable to Global node_modules Binary Overwrite

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.

For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

## Recommendation

Upgrade to version 6.13.4 or later.

Affected Packages

npm npm
Affected versions: 0 (fixed in 6.13.4)

Related CVEs

CVE-2019-16777

Key Information

GHSA ID
GHSA-4328-8hgf-7wjr
Published
December 13, 2019 3:39 PM
Last Modified
August 11, 2022 12:00 AM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
npm
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.