Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdxZjYtNzV2OC12cjI2

Arbitrary File Write in bin-links

Versions of bin-links prior to 1.1.5 are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist.

Recommendation

Upgrade to version 1.1.5 or later.

Permalink: https://github.com/advisories/GHSA-gqf6-75v8-vr26
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdxZjYtNzV2OC12cjI2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago

Identifiers: GHSA-gqf6-75v8-vr26
References:

Blast Radius: 0.0

Affected Packages

npm:bin-links

Dependent packages: 90
Dependent repositories: 109,270
Downloads: 10,240,618 last month
Affected Version Ranges: < 1.1.5
Fixed in: 1.1.5
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.1.5, 1.1.6, 1.1.7, 1.1.8, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.3.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0