Low severityNVD Advisory· Published Apr 22, 2014· Updated May 6, 2026
CVE-2013-4116
CVE-2013-4116
Description
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
npmnpm | < 1.3.3 | 1.3.3 |
Affected products
1- cpe:2.3:a:node_packaged_modules_project:node_packaged_modules:*:*:*:*:*:node.js:*:*Range: <1.3.3
Patches
1f4d31693Put 6 bytes of random in tmp folder name
1 file changed · +6 −1
lib/npm.js+6 −1 modified@@ -477,9 +477,14 @@ Object.defineProperty(npm, "cache", }) var tmpFolder +var crypto = require("crypto") +var rand = crypto.randomBytes(6) + .toString("base64") + .replace(/\//g, '_') + .replace(/\+/, '-') Object.defineProperty(npm, "tmp", { get : function () { - if (!tmpFolder) tmpFolder = "npm-" + process.pid + if (!tmpFolder) tmpFolder = "npm-" + process.pid + "-" + rand return path.resolve(npm.config.get("tmp"), tmpFolder) } , enumerable : true
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/npm/npm/commit/f4d31693nvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2013/07/10/17nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2013/07/11/9nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/61083nvdThird Party AdvisoryVDB EntryWEB
- bugs.debian.org/cgi-bin/bugreport.cginvdIssue TrackingThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/87141nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-v3jv-wrf4-5845ghsaADVISORY
- github.com/npm/npm/issues/3635nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2013-4116ghsaADVISORY
- www.npmjs.com/advisories/152ghsaWEB
News mentions
0No linked articles in our index yet.