Affected versions of `cli` use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the `cli` process has permission to write to.

## Proof of Concept

By creating Symbolic Links at the following locations, the target of the link can be written to.
```
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
```

## Recommendation

Update to version 1.0.0 or later.

Affected Packages

npm cli

Affected versions: 0 (fixed in 1.0.0)

Related CVEs

CVE-2016-10538

Key Information

GHSA ID

GHSA-6cpc-mj5c-m9rq

Published

February 18, 2019 11:40 PM

Last Modified

August 31, 2020 6:10 PM

CVSS Score

2.5 /10

Primary Ecosystem

npm

Primary Package

cli

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.