Vulnerabilities > Npmjs > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-08-31 CVE-2021-37713 Path Traversal vulnerability in multiple products
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
4.4
2021-03-23 CVE-2021-23362 The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js.
network
low complexity
npmjs siemens
5.3
2020-10-27 CVE-2020-7754 Unspecified vulnerability in Npmjs Npm-User-Validate
This affects the package npm-user-validate before 1.0.1.
network
low complexity
npmjs
5.0
2020-07-07 CVE-2020-15095 Information Exposure Through Log Files vulnerability in multiple products
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files.
local
high complexity
npmjs opensuse fedoraproject CWE-532
4.4
2019-12-13 CVE-2019-16777 Improper Privilege Management vulnerability in multiple products
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite.
network
low complexity
npmjs opensuse oracle fedoraproject redhat CWE-269
6.5
2019-12-13 CVE-2019-16775 UNIX Symbolic Link (Symlink) Following vulnerability in multiple products
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write.
network
low complexity
redhat npmjs opensuse oracle fedoraproject CWE-61
6.5
2018-02-22 CVE-2018-7408 Incorrect Permission Assignment for Critical Resource vulnerability in Npmjs NPM 5.7.0
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status).
local
low complexity
npmjs CWE-732
4.6
2016-07-02 CVE-2016-3956 Information Exposure vulnerability in multiple products
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
network
low complexity
ibm nodejs npmjs CWE-200
5.0