Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-x8qc-rrcw-4r46

GitHub Security Advisory

npm symlink reference outside of node_modules

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

## Recommendation

Upgrade to version 6.13.3 or later.

Affected Packages

npm npm
Affected versions: 0 (fixed in 6.13.3)

Related CVEs

CVE-2019-16776

Key Information

GHSA ID
GHSA-x8qc-rrcw-4r46
Published
December 13, 2019 3:39 PM
Last Modified
August 10, 2022 11:58 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
npm
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.