Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-myru-vzn7-u7cf
Vulnerability ID VCID-myru-vzn7-u7cf
Aliases CVE-2021-39134
GHSA-2h3h-q99f-3fhc
Summary UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-178 Improper Handling of Case Sensitivity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-61 UNIX Symbolic Link (Symlink) Following
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39134.json
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2021-39134
cvssv3.1 8.2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
generic_textual HIGH https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-2h3h-q99f-3fhc
cvssv3.1 8.2 https://github.com/npm/arborist
generic_textual HIGH https://github.com/npm/arborist
cvssv3.1 8.2 https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
cvssv3.1_qr HIGH https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
generic_textual HIGH https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
cvssv3.1 8.2 https://nvd.nist.gov/vuln/detail/CVE-2021-39134
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-39134
cvssv3.1 8.2 https://www.npmjs.com/package/@npmcli/arborist
generic_textual HIGH https://www.npmjs.com/package/@npmcli/arborist
cvssv3.1 8.2 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuoct2021.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39134.json
https://api.first.org/data/v1/epss?cve=CVE-2021-39134
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39134
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/npm/arborist
https://www.npmjs.com/package/@npmcli/arborist
https://www.oracle.com/security-alerts/cpuoct2021.html
1999744 https://bugzilla.redhat.com/show_bug.cgi?id=1999744
993407 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993407
CVE-2021-39134 https://nvd.nist.gov/vuln/detail/CVE-2021-39134
GHSA-2h3h-q99f-3fhc https://github.com/advisories/GHSA-2h3h-q99f-3fhc
GHSA-2h3h-q99f-3fhc https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-39134.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/npm/arborist
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-39134
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.npmjs.com/package/@npmcli/arborist
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.72386
EPSS Score 0.00718
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:48.903980+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39134.yml 38.0.0