npm 1.2.21 vulnerabilities

Known vulnerabilities in the npm package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files. How to fix Insertion of Sensitive Information into Log File? Upgrade `npm` to version 6.14.6 or higher.	<6.14.6
H Arbitrary File Write npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. For `npm`, a properly constructed entry in the `package.json` bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts install` option. How to fix Arbitrary File Write? Upgrade `npm` to version 6.13.3 or higher.	<6.13.3
L Unauthorized File Access npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. For `npm`, a properly constructed entry in the `package.json` bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. How to fix Unauthorized File Access? Upgrade `npm` to version 6.13.3 or higher.	<6.13.3
H Arbitrary File Overwrite npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This only affects files in `/usr/local/bin`. For `npm`, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option. How to fix Arbitrary File Overwrite? Upgrade `npm` to version 6.13.4 or higher.	<6.13.4
M Access Restriction Bypass npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of `/etc` and `/usr` directories are being changed unexpectedly, related to a "correctMkdir" issue. How to fix Access Restriction Bypass? Upgrade `npm` to version 5.7.1 or higher.	<5.7.1
L Symlink attack due to predictable tmp folder names `npm` is a package manager for JavaScript. Affected versions of the package are vulnerable to Symlink attack due to predictable tmp folder names, which were named `/tmp/npm-$PID`. An attacker waiting for a process named `npm-` to load could then go to the folder and arbitrarily change the files in the tmp folder. How to fix Symlink attack due to predictable tmp folder names? Upgrade `npm` to version 1.3.3 or higher.	<1.3.4
M npm Token Leak This vulnerability could cause the unintentional leakage of bearer tokens. A design flaw in npm's registry allows an attacker to set up an HTTP server that could collect authentication information, and then use this authentication information to impersonate the users whose tokens they collected. The attacker could do anything the compromised users could do, including publishing new versions of packages. How to fix npm Token Leak? Upgrade npm to ">= 3.8.3 \|\| >= 2.15.1" Invalidate your current npm bearer tokens	<2.15.1>=3.0.0 <3.8.4

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Log File

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

How to fix Insertion of Sensitive Information into Log File?

Upgrade npm to version 6.14.6 or higher.

<6.14.6

Arbitrary File Write

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Write?

Upgrade npm to version 6.13.3 or higher.

<6.13.3

Unauthorized File Access

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Unauthorized File Access?

Upgrade npm to version 6.13.3 or higher.

<6.13.3

Arbitrary File Overwrite

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Overwrite?

Upgrade npm to version 6.13.4 or higher.

<6.13.4

Access Restriction Bypass

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

How to fix Access Restriction Bypass?

Upgrade npm to version 5.7.1 or higher.

<5.7.1

Symlink attack due to predictable tmp folder names

npm is a package manager for JavaScript. Affected versions of the package are vulnerable to Symlink attack due to predictable tmp folder names, which were named /tmp/npm-$PID. An attacker waiting for a process named npm- to load could then go to the folder and arbitrarily change the files in the tmp folder.

How to fix Symlink attack due to predictable tmp folder names?

Upgrade npm to version 1.3.3 or higher.

<1.3.4

npm Token Leak

This vulnerability could cause the unintentional leakage of bearer tokens. A design flaw in npm's registry allows an attacker to set up an HTTP server that could collect authentication information, and then use this authentication information to impersonate the users whose tokens they collected. The attacker could do anything the compromised users could do, including publishing new versions of packages.

How to fix npm Token Leak?

Upgrade npm to ">= 3.8.3 || >= 2.15.1"
Invalidate your current npm bearer tokens

<2.15.1>=3.0.0 <3.8.4

npm@1.2.21 vulnerabilities

a package manager for JavaScript

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?