Unauthorized File Access Affecting npm Open this link in a new tab package, versions <6.13.3

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    12 Dec 2019

  • disclosed

    11 Dec 2019

  • credit

    Daniel Ruf

How to fix?

Upgrade npm to version 6.13.3 or higher.


npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.