CVE-2020-15095

NameCVE-2020-15095
DescriptionVersions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs964746

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
npm (PTS)buster5.8.0+ds6-4+deb10u2fixed
bullseye7.5.2+ds-2fixed
bookworm9.2.0~ds1-1fixed
sid, trixie9.2.0~ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
npmsourcebuster5.8.0+ds6-4+deb10u2
npmsource(unstable)6.14.6+ds-1low964746

Notes

https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
Search for package or bug name: Reporting problems