Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/rh-nodejs8-nodejs@8.17.0-2?arch=el7
Typerpm
Namespaceredhat
Namerh-nodejs8-nodejs
Version8.17.0-2
Qualifiers
arch el7
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-28g1-8vqv-1ugx
vulnerability_id VCID-28g1-8vqv-1ugx
summary 
Incorrect Regular Expression
sshpk is vulnerable to ReDoS when parsing maliciously crafted invalid public keys.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3737.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3737.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-3737
reference_id
reference_type
scores
0
value 0.00423
scoring_system epss
scoring_elements 0.62167
published_at 2026-04-21T12:55:00Z
1
value 0.00423
scoring_system epss
scoring_elements 0.62182
published_at 2026-04-18T12:55:00Z
2
value 0.00423
scoring_system epss
scoring_elements 0.62177
published_at 2026-04-16T12:55:00Z
3
value 0.00423
scoring_system epss
scoring_elements 0.62133
published_at 2026-04-13T12:55:00Z
4
value 0.00423
scoring_system epss
scoring_elements 0.62154
published_at 2026-04-12T12:55:00Z
5
value 0.00423
scoring_system epss
scoring_elements 0.62165
published_at 2026-04-11T12:55:00Z
6
value 0.00423
scoring_system epss
scoring_elements 0.62145
published_at 2026-04-09T12:55:00Z
7
value 0.00423
scoring_system epss
scoring_elements 0.62127
published_at 2026-04-08T12:55:00Z
8
value 0.00423
scoring_system epss
scoring_elements 0.62077
published_at 2026-04-07T12:55:00Z
9
value 0.00423
scoring_system epss
scoring_elements 0.62108
published_at 2026-04-04T12:55:00Z
10
value 0.00423
scoring_system epss
scoring_elements 0.62017
published_at 2026-04-01T12:55:00Z
11
value 0.00423
scoring_system epss
scoring_elements 0.62076
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-3737
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3737
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3737
3
reference_url https://github.com/advisories/GHSA-2m39-62fm-q8r3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-2m39-62fm-q8r3
4
reference_url https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17
5
reference_url https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
6
reference_url https://hackerone.com/reports/319593
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/319593
7
reference_url https://www.npmjs.com/advisories/606
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/606
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1567228
reference_id 1567228
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1567228
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901093
reference_id 901093
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901093
10
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:joyent:sshpk:*:*:*:*:*:node.js:*:*
reference_id cpe:2.3:a:joyent:sshpk:*:*:*:*:*:node.js:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:joyent:sshpk:*:*:*:*:*:node.js:*:*
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-3737
reference_id CVE-2018-3737
reference_type
scores
0
value 5.0
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:N/I:N/A:P
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-3737
12
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2018-3737, GHSA-2m39-62fm-q8r3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-28g1-8vqv-1ugx
1
url VCID-3qmf-2f2m-fbes
vulnerability_id VCID-3qmf-2f2m-fbes
summary 
Improper Input Validation
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18077.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18077.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-18077
reference_id
reference_type
scores
0
value 0.0052
scoring_system epss
scoring_elements 0.66858
published_at 2026-04-21T12:55:00Z
1
value 0.0052
scoring_system epss
scoring_elements 0.66828
published_at 2026-04-13T12:55:00Z
2
value 0.0052
scoring_system epss
scoring_elements 0.66875
published_at 2026-04-18T12:55:00Z
3
value 0.0052
scoring_system epss
scoring_elements 0.66861
published_at 2026-04-16T12:55:00Z
4
value 0.0052
scoring_system epss
scoring_elements 0.66754
published_at 2026-04-01T12:55:00Z
5
value 0.0052
scoring_system epss
scoring_elements 0.66794
published_at 2026-04-02T12:55:00Z
6
value 0.0052
scoring_system epss
scoring_elements 0.66819
published_at 2026-04-04T12:55:00Z
7
value 0.0052
scoring_system epss
scoring_elements 0.66791
published_at 2026-04-07T12:55:00Z
8
value 0.0052
scoring_system epss
scoring_elements 0.6684
published_at 2026-04-08T12:55:00Z
9
value 0.0052
scoring_system epss
scoring_elements 0.66854
published_at 2026-04-09T12:55:00Z
10
value 0.0052
scoring_system epss
scoring_elements 0.66874
published_at 2026-04-11T12:55:00Z
11
value 0.0052
scoring_system epss
scoring_elements 0.6686
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-18077
2
reference_url https://bugs.debian.org/862712
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.debian.org/862712
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18077
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18077
4
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
5
reference_url https://github.com/juliangruber/brace-expansion/issues/33
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/issues/33
6
reference_url https://github.com/juliangruber/brace-expansion/pull/35
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/pull/35
7
reference_url https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
8
reference_url https://nodesecurity.io/advisories/338
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/338
9
reference_url https://www.npmjs.com/advisories/338
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/338
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1448380
reference_id 1448380
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1448380
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862712
reference_id 862712
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862712
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-18077
reference_id CVE-2017-18077
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-18077
13
reference_url https://github.com/advisories/GHSA-832h-xg76-4gv6
reference_id GHSA-832h-xg76-4gv6
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-832h-xg76-4gv6
14
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2017-18077, GHSA-832h-xg76-4gv6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3qmf-2f2m-fbes
2
url VCID-9qdm-4xaz-qqhd
vulnerability_id VCID-9qdm-4xaz-qqhd
summary 
Time-of-check Time-of-use (TOCTOU) Race Condition in chownr
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18869.json
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18869.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-18869
reference_id
reference_type
scores
0
value 0.00115
scoring_system epss
scoring_elements 0.30043
published_at 2026-04-21T12:55:00Z
1
value 0.00115
scoring_system epss
scoring_elements 0.30192
published_at 2026-04-01T12:55:00Z
2
value 0.00115
scoring_system epss
scoring_elements 0.30223
published_at 2026-04-02T12:55:00Z
3
value 0.00115
scoring_system epss
scoring_elements 0.30272
published_at 2026-04-04T12:55:00Z
4
value 0.00115
scoring_system epss
scoring_elements 0.3009
published_at 2026-04-07T12:55:00Z
5
value 0.00115
scoring_system epss
scoring_elements 0.30149
published_at 2026-04-08T12:55:00Z
6
value 0.00115
scoring_system epss
scoring_elements 0.30185
published_at 2026-04-09T12:55:00Z
7
value 0.00115
scoring_system epss
scoring_elements 0.30188
published_at 2026-04-11T12:55:00Z
8
value 0.00115
scoring_system epss
scoring_elements 0.30145
published_at 2026-04-12T12:55:00Z
9
value 0.00115
scoring_system epss
scoring_elements 0.30095
published_at 2026-04-13T12:55:00Z
10
value 0.00115
scoring_system epss
scoring_elements 0.30109
published_at 2026-04-16T12:55:00Z
11
value 0.00115
scoring_system epss
scoring_elements 0.30089
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-18869
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1611614
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=1611614
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
5
reference_url https://github.com/isaacs/chownr/commit/36a93e3f0a220062c47b237cf6ab6d5f55cd79c9
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/chownr/commit/36a93e3f0a220062c47b237cf6ab6d5f55cd79c9
6
reference_url https://github.com/isaacs/chownr/commit/a631d841022880e5c8d694408a7e96d6d576d0ce
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/chownr/commit/a631d841022880e5c8d694408a7e96d6d576d0ce
7
reference_url https://github.com/isaacs/chownr/issues/14
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/chownr/issues/14
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-18869
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-18869
9
reference_url https://snyk.io/vuln/npm:chownr:20180731
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/npm:chownr:20180731
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1611613
reference_id 1611613
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1611613
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909024
reference_id 909024
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909024
12
reference_url https://github.com/advisories/GHSA-c6rq-rjc2-86v2
reference_id GHSA-c6rq-rjc2-86v2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c6rq-rjc2-86v2
13
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2017-18869, GHSA-c6rq-rjc2-86v2
risk_score 3.5
exploitability 0.5
weighted_severity 6.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9qdm-4xaz-qqhd
3
url VCID-k3gg-stck-7ydy
vulnerability_id VCID-k3gg-stck-7ydy
summary 
Arbitrary File Write in npm
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.3 or later.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
1
reference_url https://access.redhat.com/errata/RHEA-2020:0330
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHEA-2020:0330
2
reference_url https://access.redhat.com/errata/RHSA-2020:0573
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0573
3
reference_url https://access.redhat.com/errata/RHSA-2020:0579
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0579
4
reference_url https://access.redhat.com/errata/RHSA-2020:0597
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0597
5
reference_url https://access.redhat.com/errata/RHSA-2020:0602
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0602
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16775.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16775.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16775
reference_id
reference_type
scores
0
value 0.00684
scoring_system epss
scoring_elements 0.71681
published_at 2026-04-21T12:55:00Z
1
value 0.00684
scoring_system epss
scoring_elements 0.71614
published_at 2026-04-01T12:55:00Z
2
value 0.00684
scoring_system epss
scoring_elements 0.7162
published_at 2026-04-02T12:55:00Z
3
value 0.00684
scoring_system epss
scoring_elements 0.71638
published_at 2026-04-04T12:55:00Z
4
value 0.00684
scoring_system epss
scoring_elements 0.71611
published_at 2026-04-07T12:55:00Z
5
value 0.00684
scoring_system epss
scoring_elements 0.71651
published_at 2026-04-08T12:55:00Z
6
value 0.00684
scoring_system epss
scoring_elements 0.71662
published_at 2026-04-09T12:55:00Z
7
value 0.00684
scoring_system epss
scoring_elements 0.71685
published_at 2026-04-11T12:55:00Z
8
value 0.00684
scoring_system epss
scoring_elements 0.71668
published_at 2026-04-12T12:55:00Z
9
value 0.00684
scoring_system epss
scoring_elements 0.7165
published_at 2026-04-13T12:55:00Z
10
value 0.00684
scoring_system epss
scoring_elements 0.71694
published_at 2026-04-16T12:55:00Z
11
value 0.00684
scoring_system epss
scoring_elements 0.717
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16775
8
reference_url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/advisories/GHSA-m6cx-g6qm-p2cx
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-m6cx-g6qm-p2cx
12
reference_url https://github.com/npm/cli
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/npm/cli
13
reference_url https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16775
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16775
17
reference_url https://www.npmjs.com/advisories/1434
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1434
18
reference_url https://www.oracle.com/security-alerts/cpujan2020.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2020.html
19
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1788305
reference_id 1788305
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1788305
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
reference_id 947127
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
22
reference_url https://security.archlinux.org/AVG-1082
reference_id AVG-1082
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1082
23
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2019-16775, GHSA-m6cx-g6qm-p2cx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k3gg-stck-7ydy
4
url VCID-k6bh-s1cq-n3a7
vulnerability_id VCID-k6bh-s1cq-n3a7
summary 
Improper Input Validation
The utilities function in all versions of the deep-extend node module can be tricked into modifying the prototype of `Object` when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3750.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3750.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-3750
reference_id
reference_type
scores
0
value 0.00293
scoring_system epss
scoring_elements 0.52661
published_at 2026-04-21T12:55:00Z
1
value 0.00293
scoring_system epss
scoring_elements 0.52613
published_at 2026-04-09T12:55:00Z
2
value 0.00293
scoring_system epss
scoring_elements 0.52631
published_at 2026-04-13T12:55:00Z
3
value 0.00293
scoring_system epss
scoring_elements 0.52647
published_at 2026-04-12T12:55:00Z
4
value 0.00293
scoring_system epss
scoring_elements 0.52574
published_at 2026-04-02T12:55:00Z
5
value 0.00293
scoring_system epss
scoring_elements 0.52601
published_at 2026-04-04T12:55:00Z
6
value 0.00293
scoring_system epss
scoring_elements 0.52567
published_at 2026-04-07T12:55:00Z
7
value 0.00293
scoring_system epss
scoring_elements 0.52618
published_at 2026-04-08T12:55:00Z
8
value 0.00293
scoring_system epss
scoring_elements 0.52664
published_at 2026-04-11T12:55:00Z
9
value 0.00293
scoring_system epss
scoring_elements 0.52676
published_at 2026-04-18T12:55:00Z
10
value 0.00293
scoring_system epss
scoring_elements 0.52669
published_at 2026-04-16T12:55:00Z
11
value 0.00293
scoring_system epss
scoring_elements 0.52529
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-3750
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
3
reference_url https://github.com/advisories/GHSA-hr2v-3952-633q
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-hr2v-3952-633q
4
reference_url https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
5
reference_url https://hackerone.com/reports/311333
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/311333
6
reference_url https://www.npmjs.com/advisories/612
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/612
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1578246
reference_id 1578246
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1578246
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926616
reference_id 926616
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926616
9
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:deep_extend_project:deep_extend:*:*:*:*:*:node.js:*:*
reference_id cpe:2.3:a:deep_extend_project:deep_extend:*:*:*:*:*:node.js:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:deep_extend_project:deep_extend:*:*:*:*:*:node.js:*:*
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-3750
reference_id CVE-2018-3750
reference_type
scores
0
value 7.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:P/I:P/A:P
1
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-3750
11
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
12
reference_url https://access.redhat.com/errata/RHSA-2021:0485
reference_id RHSA-2021:0485
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0485
13
reference_url https://access.redhat.com/errata/RHSA-2021:0549
reference_id RHSA-2021:0549
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0549
fixed_packages
aliases CVE-2018-3750, GHSA-hr2v-3952-633q
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k6bh-s1cq-n3a7
5
url VCID-wb61-6cxb-5kfa
vulnerability_id VCID-wb61-6cxb-5kfa
summary 
npm symlink reference outside of node_modules
Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the`node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected.  

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.3 or later.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
1
reference_url https://access.redhat.com/errata/RHEA-2020:0330
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHEA-2020:0330
2
reference_url https://access.redhat.com/errata/RHSA-2020:0573
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0573
3
reference_url https://access.redhat.com/errata/RHSA-2020:0579
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0579
4
reference_url https://access.redhat.com/errata/RHSA-2020:0597
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0597
5
reference_url https://access.redhat.com/errata/RHSA-2020:0602
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0602
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16776.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16776.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16776
reference_id
reference_type
scores
0
value 0.00783
scoring_system epss
scoring_elements 0.73698
published_at 2026-04-02T12:55:00Z
1
value 0.00783
scoring_system epss
scoring_elements 0.73787
published_at 2026-04-18T12:55:00Z
2
value 0.00783
scoring_system epss
scoring_elements 0.73779
published_at 2026-04-21T12:55:00Z
3
value 0.00783
scoring_system epss
scoring_elements 0.73689
published_at 2026-04-01T12:55:00Z
4
value 0.00783
scoring_system epss
scoring_elements 0.73737
published_at 2026-04-13T12:55:00Z
5
value 0.00783
scoring_system epss
scoring_elements 0.73746
published_at 2026-04-12T12:55:00Z
6
value 0.00783
scoring_system epss
scoring_elements 0.73764
published_at 2026-04-11T12:55:00Z
7
value 0.00783
scoring_system epss
scoring_elements 0.73742
published_at 2026-04-09T12:55:00Z
8
value 0.00783
scoring_system epss
scoring_elements 0.73729
published_at 2026-04-08T12:55:00Z
9
value 0.00783
scoring_system epss
scoring_elements 0.73694
published_at 2026-04-07T12:55:00Z
10
value 0.00783
scoring_system epss
scoring_elements 0.73722
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16776
8
reference_url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/advisories/GHSA-x8qc-rrcw-4r46
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-x8qc-rrcw-4r46
12
reference_url https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16776
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16776
16
reference_url https://www.npmjs.com/advisories/1436
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1436
17
reference_url https://www.oracle.com/security-alerts/cpujan2020.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2020.html
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1788310
reference_id 1788310
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1788310
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
reference_id 947127
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
20
reference_url https://security.archlinux.org/AVG-1082
reference_id AVG-1082
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1082
21
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2019-16776, GHSA-x8qc-rrcw-4r46
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wb61-6cxb-5kfa
6
url VCID-xja2-hbkk-cyc7
vulnerability_id VCID-xja2-hbkk-cyc7
summary 
npm Vulnerable to Global node_modules Binary Overwrite
Versions of  the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. 

For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.


## Recommendation

Upgrade to version 6.13.4 or later.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
1
reference_url https://access.redhat.com/errata/RHEA-2020:0330
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHEA-2020:0330
2
reference_url https://access.redhat.com/errata/RHSA-2020:0573
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0573
3
reference_url https://access.redhat.com/errata/RHSA-2020:0579
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0579
4
reference_url https://access.redhat.com/errata/RHSA-2020:0597
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0597
5
reference_url https://access.redhat.com/errata/RHSA-2020:0602
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0602
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16777.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16777.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16777
reference_id
reference_type
scores
0
value 0.00334
scoring_system epss
scoring_elements 0.56257
published_at 2026-04-21T12:55:00Z
1
value 0.00334
scoring_system epss
scoring_elements 0.56256
published_at 2026-04-13T12:55:00Z
2
value 0.00334
scoring_system epss
scoring_elements 0.56274
published_at 2026-04-12T12:55:00Z
3
value 0.00334
scoring_system epss
scoring_elements 0.56299
published_at 2026-04-11T12:55:00Z
4
value 0.00334
scoring_system epss
scoring_elements 0.56288
published_at 2026-04-16T12:55:00Z
5
value 0.00334
scoring_system epss
scoring_elements 0.56283
published_at 2026-04-08T12:55:00Z
6
value 0.00334
scoring_system epss
scoring_elements 0.56231
published_at 2026-04-07T12:55:00Z
7
value 0.00334
scoring_system epss
scoring_elements 0.56251
published_at 2026-04-04T12:55:00Z
8
value 0.00334
scoring_system epss
scoring_elements 0.56232
published_at 2026-04-02T12:55:00Z
9
value 0.00334
scoring_system epss
scoring_elements 0.56121
published_at 2026-04-01T12:55:00Z
10
value 0.00334
scoring_system epss
scoring_elements 0.56289
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16777
8
reference_url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/advisories/GHSA-4328-8hgf-7wjr
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-4328-8hgf-7wjr
12
reference_url https://github.com/npm/cli
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/npm/cli
13
reference_url https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16777
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16777
17
reference_url https://security.gentoo.org/glsa/202003-48
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202003-48
18
reference_url https://www.npmjs.com/advisories/1437
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1437
19
reference_url https://www.oracle.com/security-alerts/cpujan2020.html
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2020.html
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1788301
reference_id 1788301
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1788301
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
reference_id 947127
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127
22
reference_url https://security.archlinux.org/AVG-1082
reference_id AVG-1082
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1082
23
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
aliases CVE-2019-16777, GHSA-4328-8hgf-7wjr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xja2-hbkk-cyc7
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-nodejs8-nodejs@8.17.0-2%3Farch=el7