CVE-2013-4116 — Local Privilege Escalation in npm

Description

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

How to fix CVE-2013-4116

To remediate CVE-2013-4116, upgrade the affected package to a fixed version below.

Debian/npm—upgrade to 1.3.10~dfsg-1 or later
npm/npm—upgrade to 1.3.3 or later

Is CVE-2013-4116 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.3.10~dfsg-1
from 0, < 1.3.3

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4116
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4116
PATCHgithub.com/npm/npm
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
WEB