CVE-2016-3956

NameCVE-2016-3956
DescriptionThe CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs850322

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
npm (PTS)bullseye7.5.2+ds-2fixed
bookworm9.2.0~ds1-1fixed
sid, trixie9.2.0~ds1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
npmsourcejessie(unfixed)end-of-life
npmsource(unstable)5.8.0+ds-2850322

Notes

[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support, minor issue)
https://github.com/npm/npm/issues/8380
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1)
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)

Search for package or bug name: Reporting problems