Skip to main content

npm

9 CVEs product

Monthly

CVE-2022-29244 npm HIGH PATCH This Week

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure npm Ontap Select Deploy Administration Utility
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2021-43616 CRITICAL POC PATCH Act Now

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure npm Next Generation Application Programming Interface Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-26700 npm HIGH PATCH MAL This Week

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Node.js npm
NVD
CVSS 3.1
7.8
EPSS
6.0%
CVE-2020-15095 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. Rated medium severity (CVSS 4.4).

Node.js Information Disclosure npm Leap Fedora
NVD GitHub
CVSS 3.1
4.4
EPSS
0.4%
CVE-2019-16777 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm Leap Graalvm +3
NVD GitHub
CVSS 3.1
6.5
EPSS
2.0%
CVE-2019-16776 npm HIGH PATCH This Week

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm Leap Graalvm +3
NVD GitHub
CVSS 3.1
8.1
EPSS
3.3%
CVE-2019-16775 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Enterprise Linux Enterprise Linux Eus npm +3
NVD GitHub
CVSS 3.1
6.5
EPSS
3.3%
CVE-2018-7408 npm HIGH PATCH This Week

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Node.js npm
NVD GitHub
CVSS 3.0
7.8
EPSS
0.3%
CVE-2016-3956 npm HIGH PATCH This Week

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Sdk Node Js npm
NVD GitHub
CVSS 3.1
7.5
EPSS
3.2%
EPSS 3% CVSS 7.5
HIGH PATCH This Week

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure npm +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure npm +2
NVD GitHub
EPSS 6% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Node.js npm
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. Rated medium severity (CVSS 4.4).

Node.js Information Disclosure npm +2
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm +5
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm +5
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Enterprise Linux +5
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Node.js npm
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Sdk +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy