10.9.2
11 years ago
10 days ago
Known vulnerabilities in the npm package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like How to fix Insertion of Sensitive Information into Log File? Upgrade | <6.14.6 |
npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended For How to fix Arbitrary File Write? Upgrade | <6.13.3 |
npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of the For How to fix Unauthorized File Access? Upgrade | <6.13.3 |
npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a For How to fix Arbitrary File Overwrite? Upgrade | <6.13.4 |
npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of How to fix Access Restriction Bypass? Upgrade | <5.7.1 |
This vulnerability could cause the unintentional leakage of bearer tokens. A design flaw in npm's registry allows an attacker to set up an HTTP server that could collect authentication information, and then use this authentication information to impersonate the users whose tokens they collected. The attacker could do anything the compromised users could do, including publishing new versions of packages. How to fix npm Token Leak?
| <2.15.1>=3.0.0 <3.8.4 |