CVE-2019-16777
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-16777
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16777.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-16777
- Aliases
- Related
- Published
- 2019-12-13T01:15:11Z
- Modified
- 2025-02-14T10:47:21.730626Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
- References
-
- https://access.redhat.com/errata/RHEA-2020:0330
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0602
- https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
- https://security.gentoo.org/glsa/202003-48
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security-tracker.debian.org/tracker/CVE-2019-16777
Affected packages
Debian:11 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Debian:12 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Debian:13 / npm
Package
- Name
- npm
- Purl
- pkg:deb/debian/npm?arch=source
Git / github.com/npm/cli
Affected ranges
- Type
- GIT
- Repo
- https://github.com/npm/cli
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.27
1.*
1.0.0rc3
1.0.7
1.1.0-1
1.1.0-alpha-1
1.1.0-alpha-2
1.1.22
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.0.7
v0.1.0
v0.1.1
v0.1.10
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.2
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.27-1
v0.1.27-12
v0.1.27-2
v0.1.27-3
v0.1.27-4
v0.1.27-5
v0.1.27-6
v0.1.27-7
v0.1.27-8
v0.1.27-9
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v0.2.1
v0.2.10
v0.2.10-1
v0.2.11
v0.2.11-1
v0.2.11-2
v0.2.11-3
v0.2.11-4
v0.2.11-5
v0.2.12
v0.2.12-1
v0.2.13
v0.2.13-1
v0.2.13-2
v0.2.13-3
v0.2.14
v0.2.14-1
v0.2.14-2
v0.2.14-3
v0.2.14-4
v0.2.14-5
v0.2.14-6
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.2
v0.2.3
v0.2.3-3
v0.2.3-4
v0.2.3-5
v0.2.3-6
v0.2.4
v0.2.4-1
v0.2.5
v0.2.5-1
v0.2.7-2
v0.2.7-3
v0.2.8
v0.2.9
v0.3.0
v0.3.0-1
v0.3.0-10
v0.3.0-2
v0.3.0-3
v0.3.0-4
v0.3.0-5
v0.3.0-6
v0.3.0-7
v0.3.0-8
v0.3.0-9
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v1.*
v1.0.0-1-rc
v1.0.0-2-rc
v1.0.0rc4
v1.0.0rc5
v1.0.0rc6
v1.0.0rc7
v1.0.0rc8
v1.0.0rc9
v1.0.1
v1.0.10
v1.0.100
v1.0.101
v1.0.102
v1.0.103
v1.0.104
v1.0.105
v1.0.106
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.1rc0
v1.0.1rc1
v1.0.1rc3
v1.0.1rc4
v1.0.1rc5
v1.0.1rc6
v1.0.1rc7
v1.0.1rc8
v1.0.1rc9
v1.0.1rcFINAL
v1.0.2
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v1.0.9-1
v1.0.90
v1.0.91
v1.0.92
v1.0.93
v1.0.94
v1.0.95
v1.0.96
v1.0.97
v1.0.98
v1.0.99
v1.1.0
v1.1.0-1
v1.1.0-2
v1.1.0-3
v1.1.0-alpha-3
v1.1.0-alpha-4
v1.1.0-alpha-5
v1.1.0-alpha-6
v1.1.0-beta-0
v1.1.0-beta-1
v1.1.0-beta-10
v1.1.0-beta-2
v1.1.0-beta-3
v1.1.0-beta-4
v1.1.0-beta-5
v1.1.0-beta-6
v1.1.0-beta-7
v1.1.0-beta-8
v1.1.0-beta-9
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.28
v1.1.29
v1.1.3
v1.1.30
v1.1.31
v1.1.32
v1.1.33
v1.1.34
v1.1.35
v1.1.36
v1.1.37
v1.1.38
v1.1.39
v1.1.4
v1.1.40
v1.1.41
v1.1.42
v1.1.43
v1.1.44
v1.1.45
v1.1.46
v1.1.48
v1.1.49
v1.1.5
v1.1.50
v1.1.51
v1.1.52
v1.1.53
v1.1.54
v1.1.55
v1.1.56
v1.1.57
v1.1.58
v1.1.59
v1.1.6
v1.1.60
v1.1.61
v1.1.62
v1.1.63
v1.1.64
v1.1.65
v1.1.66
v1.1.67
v1.1.68
v1.1.69
v1.1.7
v1.1.70
v1.1.71
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.2
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.28
v1.2.29
v1.2.3
v1.2.30
v1.2.31
v1.2.32
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.2
v1.4.20
v1.4.21
v1.4.22
v1.4.23
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0-alpha-0
v1.5.0-alpha-1
v1.5.0-alpha-2
v1.5.0-alpha-3
v1.5.0-alpha-4
v2.*
v2.0.0
v2.0.0-alpha-5
v2.0.0-alpha.6.0
v2.0.0-alpha.7
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.18
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.12.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.10.6
v3.10.7
v3.10.8
v3.10.9
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.8.7
v3.8.8
v3.8.9
v3.9.0
v3.9.1
v3.9.2
v3.9.3
v3.9.4
v3.9.5
v3.9.6
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.5.0
v4.6.0
v4.6.1
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.6.0
v5.7.0
v5.7.1
v5.8.0
v5.8.0-next.0
v6.*
v6.0.0
v6.0.0-next.0
v6.0.0-next.1
v6.0.0-next.2
v6.0.1
v6.0.1-next.0
v6.1.0
v6.1.0-next.0
v6.10.0
v6.10.0-next.0
v6.10.1
v6.10.1-next.0
v6.10.1-next.1
v6.10.1-next.2
v6.10.2
v6.10.2-next.0
v6.10.2-next.1
v6.10.2-next.2
v6.10.2-next.3
v6.10.3
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.12.0
v6.12.0-next.0
v6.12.1
v6.13.0
v6.13.1
v6.13.2
v6.13.3
v6.2.0
v6.2.0-next.0
v6.2.0-next.1
v6.3.0
v6.3.0-next.0
v6.4.0
v6.4.0-next.0
v6.4.1
v6.4.1-next.0
v6.5.0
v6.6.0
v6.6.0-next.0
v6.6.0-next.1
v6.7.0
v6.9.0
v6.9.0-next.0
v6.9.1
v6.9.1-next.0
v6.9.2