CVE-2019-16777 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-16777 PUBLISHED

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

EPSS 0.33% · 56.0th percentile

Risk Scores

EPSS Score

0.33%

56.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	npm	0, 1.3.10~dfsg-1, 1.2.18~dfsg-3
Ubuntu:Pro:18.04:LTS	npm	0, 3.5.2-0ubuntu4, 3.5.2-0ubuntu4.1.18.04.1~esm1
Ubuntu:Pro:16.04:LTS	npm	3.5.2-0ubuntu4.1.16.04.1~esm1, 0, 1.4.21+ds-2
Ubuntu:20.04:LTS	npm	0, 5.8.0+ds6-4, 6.14.4+ds-1ubuntu2
Ubuntu:22.04:LTS	npm	0, 7.5.2+ds-2, 7.24.2+ds-1
Ubuntu:24.04:LTS	npm	0, 9.2.0~ds1-1, 9.2.0~ds1-2
Ubuntu:25.10	npm	0, 9.2.0~ds1-3

Timeline

Dec 12, 2019 CVE Published
Oct 10, 2020 CVE Updated
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2019-16777 third-party-advisory
https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr third-party-advisory
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-16777 third-party-advisory

Open in Interactive Console →