Affected versions of npm use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the npm process has permission to write to, potentially resulting in local privilege escalation.

Recommendation

Update to version 1.3.3 or later.

References

• npm/npm#3635
• https://www.npmjs.com/advisories/152
• http://www.openwall.com/lists/oss-security/2013/07/10/17
• https://nvd.nist.gov/vuln/detail/CVE-2013-4116
• npm/npm@f4d31693
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
• https://bugzilla.redhat.com/show_bug.cgi?id=983917
• https://exchange.xforce.ibmcloud.com/vulnerabilities/87141
• http://www.openwall.com/lists/oss-security/2013/07/11/9
• http://www.securityfocus.com/bid/61083