CVE-2019-16775 : What You Need to Know

The npm CLI versions earlier than 6.13.3 have a vulnerability known as Arbitrary File Write, allowing packages to create symbolic links to files outside the node_modules folder.

Understanding CVE-2019-16775

What is CVE-2019-16775?

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. This vulnerability enables packages to create symbolic links to files outside the node_modules folder during installation.

The Impact of CVE-2019-16775

The vulnerability allows a package publisher to create symbolic links pointing to any file on a user's system, even if the user tries to mitigate it by using the --ignore-scripts option during installation.

Technical Details of CVE-2019-16775

Vulnerability Description

CVE ID: CVE-2019-16775
CWE ID: CWE-61: UNIX Symbolic Link (Symlink) Following
Attack Vector: Network
Attack Complexity: High
Privileges Required: Low
User Interaction: Required
Scope: Changed

Affected Systems and Versions

Product: cli
Vendor: npm
Affected Version: < 6.13.3

Exploitation Mechanism

The vulnerability allows packages to create symbolic links to files outside the node_modules folder by using the bin field during installation. A package publisher can create a symbolic link pointing to any file on a user's system when the package is installed.

Mitigation and Prevention

Immediate Steps to Take

Update npm CLI to version 6.13.3 or higher to mitigate the vulnerability.
Avoid installing packages from untrusted sources.

Long-Term Security Practices

Regularly update npm CLI and all installed packages to the latest versions.
Implement secure coding practices to prevent similar vulnerabilities.

Patching and Updates

Stay informed about security advisories and apply patches promptly to address known vulnerabilities.