Severity: low

    Symlink reference outside of node_modules



    Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.

    This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


    Upgrade to version 6.13.3 or later.


    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Dec 12th, 2019
    2. reported

      Reported by Daniel Ruf
      Dec 11th, 2019