Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW01aDYtaHIzcS0yMmg1
npm Token Leak in npm
Affected versions of the npm package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry.
An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.
This compromised token could be used to do anything that the user could do, including publishing new packages.
Recommendation
- Update npm with
npm install npm@latest -g - Revoke your Tokens
- Enable Two-Factor Authentication
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW01aDYtaHIzcS0yMmg1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago
EPSS Percentage: 0.00236
EPSS Percentile: 0.61183
Identifiers: GHSA-m5h6-hr3q-22h5, CVE-2016-3956
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-3956
- https://github.com/advisories/GHSA-m5h6-hr3q-22h5
- https://www.npmjs.com/advisories/98
- http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
- https://github.com/npm/npm/issues/8380
- https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
- https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
- https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
- http://www-01.ibm.com/support/docview.wss?uid=swg21980827
Blast Radius: 0.0
Affected Packages
npm:npm
Dependent packages: 9,618Dependent repositories: 139,345
Downloads: 29,848,472 last month
Affected Version Ranges: >= 3.0.0, <= 3.8.2, <= 2.15.0
Fixed in: 3.8.3, 2.15.1
All affected versions: 1.1.25, 1.1.70, 1.1.71, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.25, 1.2.27, 1.2.28, 1.2.30, 1.2.31, 1.2.32, 1.2.8000, 1.3.0, 1.3.1, 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.4.23, 1.4.24, 1.4.25, 1.4.26, 1.4.27, 1.4.28, 1.4.29, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.14.11, 2.14.12, 2.14.13, 2.14.14, 2.14.15, 2.14.16, 2.14.17, 2.14.18, 2.14.19, 2.14.20, 2.14.21, 2.14.22, 2.15.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.8.0, 3.8.1, 3.8.2
All unaffected versions: 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.15.7, 2.15.8, 2.15.9, 2.15.10, 2.15.11, 2.15.12, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.10.8, 3.10.9, 3.10.10, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.6.0, 4.6.1, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.7.1, 5.8.0, 5.10.0, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.9.2, 6.10.0, 6.10.1, 6.10.2, 6.10.3, 6.11.0, 6.11.1, 6.11.2, 6.11.3, 6.12.0, 6.12.1, 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6, 6.13.7, 6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.14.4, 6.14.5, 6.14.6, 6.14.7, 6.14.8, 6.14.9, 6.14.10, 6.14.11, 6.14.12, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 6.14.18, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.7.6, 7.8.0, 7.9.0, 7.10.0, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.13.0, 7.14.0, 7.15.0, 7.15.1, 7.16.0, 7.17.0, 7.18.0, 7.18.1, 7.19.0, 7.19.1, 7.20.0, 7.20.1, 7.20.2, 7.20.3, 7.20.4, 7.20.5, 7.20.6, 7.21.0, 7.21.1, 7.22.0, 7.23.0, 7.24.0, 7.24.1, 7.24.2, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 9.9.0, 9.9.1, 9.9.2, 9.9.3, 9.9.4, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 11.0.0