bin-links 1.1.2 vulnerabilities

Known vulnerabilities in the bin-links package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Arbitrary File Write bin-links is a `.bin/` script linker package. Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. For `npm`, a properly constructed entry in the `package.json` bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts install` option. How to fix Arbitrary File Write? Upgrade `bin-links` to version 1.1.5 or higher.	<1.1.5
L Unauthorized File Access bin-links is a `.bin/` script linker package. Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. For `npm`, a properly constructed entry in the `package.json` bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. How to fix Unauthorized File Access? Upgrade `bin-links` to version 1.1.5 or higher.	<1.1.5
H Arbitrary File Overwrite bin-links is a `.bin/` script linker package. Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This only affects files in `/usr/local/bin`. For `npm`, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. How to fix Arbitrary File Overwrite? Upgrade `bin-links` to version 1.1.6 or higher.	<1.1.6

Vulnerability

Vulnerable Version

Arbitrary File Write

bin-links is a .bin/ script linker package.

Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Write?

Upgrade bin-links to version 1.1.5 or higher.

<1.1.5

Unauthorized File Access

bin-links is a .bin/ script linker package.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Unauthorized File Access?

Upgrade bin-links to version 1.1.5 or higher.

<1.1.5

Arbitrary File Overwrite

bin-links is a .bin/ script linker package.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Overwrite?

Upgrade bin-links to version 1.1.6 or higher.

<1.1.6

bin-links@1.1.2 vulnerabilities

JavaScript package binary linker

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?