CVE-2013-4116

NameCVE-2013-4116
Descriptionlib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs715325

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
npm (PTS)buster5.8.0+ds6-4+deb10u2fixed
bullseye7.5.2+ds-2fixed
bookworm9.2.0~ds1-1fixed
sid, trixie9.2.0~ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
npmsource(unstable)1.3.10~dfsg-1715325

Notes

Upstream fix https://github.com/isaacs/npm/commit/f4d31693
https://github.com/isaacs/npm/issues/3635

Search for package or bug name: Reporting problems