Vulnerabilities > Npmjs > NPM

DATE CVE VULNERABILITY TITLE RISK
2022-06-13 CVE-2022-29244 Information Exposure vulnerability in multiple products
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie.
network
low complexity
npmjs netapp CWE-200
7.5
7.5
2021-11-13 CVE-2021-43616 Insufficient Verification of Data Authenticity vulnerability in multiple products
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json.
network
low complexity
npmjs netapp fedoraproject CWE-345
critical
 9.8
9.8
2020-07-07 CVE-2020-15095 Information Exposure Through Log Files vulnerability in multiple products
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files.
local
high complexity
npmjs opensuse fedoraproject CWE-532
4.4
4.4
2019-12-13 CVE-2019-16777 Improper Privilege Management vulnerability in multiple products
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite.
network
low complexity
npmjs opensuse oracle fedoraproject redhat CWE-269
6.5
6.5
2019-12-13 CVE-2019-16776 Path Traversal vulnerability in multiple products
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write.
network
low complexity
npmjs opensuse oracle fedoraproject redhat CWE-22
8.1
8.1
2019-12-13 CVE-2019-16775 UNIX Symbolic Link (Symlink) Following vulnerability in multiple products
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write.
network
low complexity
redhat npmjs opensuse oracle fedoraproject CWE-61
6.5
6.5
2018-02-22 CVE-2018-7408 Incorrect Permission Assignment for Critical Resource vulnerability in Npmjs NPM 5.7.0
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status).
local
low complexity
npmjs CWE-732
4.6
4.6
2016-07-02 CVE-2016-3956 Information Exposure vulnerability in multiple products
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
network
low complexity
ibm nodejs npmjs CWE-200
5.0
5.0