Nationwide Polamorous Matrimony
    Severity: low

    Global node_modules Binary Overwrite

    npm

    Overview

    Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.

    For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

    This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    Remediation

    Upgrade to version 6.13.4 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Dec 12th, 2019
    2. reported

      Reported by Daniel Ruf
      Dec 11th, 2019