Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-m6cx-g6qm-p2cx

GitHub Security Advisory

Arbitrary File Write in npm

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

## Recommendation

Upgrade to version 6.13.3 or later.

Affected Packages

npm npm
Affected versions: 0 (fixed in 6.13.3)

Related CVEs

CVE-2019-16775

Key Information

GHSA ID
GHSA-m6cx-g6qm-p2cx
Published
December 13, 2019 3:39 PM
Last Modified
October 21, 2021 9:16 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
npm
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.