{"id":"GHSA-x8qc-rrcw-4r46","summary":"npm symlink reference outside of node_modules","details":"Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected.  \n\nThis behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.\n\n\n## Recommendation\n\nUpgrade to version 6.13.3 or later.","aliases":["CVE-2019-16776"],"modified":"2026-03-13T22:14:25.570427Z","published":"2019-12-13T15:39:26Z","related":["CGA-jffg-qjr2-vv8r","CVE-2019-16776"],"database_specific":{"nvd_published_at":"2019-12-13T01:15:00Z","github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2020-06-16T22:02:49Z","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16776"},{"type":"WEB","url":"https://access.redhat.com/errata/RHEA-2020:0330"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0573"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0579"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0597"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0602"},{"type":"WEB","url":"https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-x8qc-rrcw-4r46"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP"},{"type":"WEB","url":"https://www.npmjs.com/advisories/1436"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}],"affected":[{"package":{"name":"npm","ecosystem":"npm","purl":"pkg:npm/npm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"6.13.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-x8qc-rrcw-4r46/GHSA-x8qc-rrcw-4r46.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}