CVE-2013-4116

Published: 22 April 2014

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

Priority

Medium

Status

Package Release Status
npm
Launchpad, Ubuntu, Debian
Upstream
Released (1.3.10~dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.5.2-0ubuntu4)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(3.5.2-0ubuntu4)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.3.10~dfsg-1)
Patches:
Upstream: https://github.com/isaacs/npm/commit/f4d31693