VYPR
← All advisories
High severityNVD Advisory· Published Sep 13, 2019· Updated Aug 4, 2024

CVE-2019-5484

CVE-2019-5484

Description

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bower before 1.8.8 has a path traversal vulnerability allowing arbitrary file writes via malicious package extraction.

Root

Cause

Bower versions prior to 1.8.8 are vulnerable to a path traversal vulnerability that occurs during the extraction of .tar.gz archives. The flaw originates from improper validation of symbolic links (symlinks) within the archive. When Bower processes a specially crafted package, an attacker-controlled symlink can escape the intended extraction directory, causing files to be written to arbitrary locations on the file system [1].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious package containing a symlink pointing to a target directory outside the extraction root. The package is then installed via Bower's install command. No authentication is required beyond the user invoking Bower with the malicious package. The attack surface is limited to scenarios where a developer or system installs a package from an untrusted source, but the widespread use of Bower (nearly 2 million downloads per month) increases the risk [1][2].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the victim's system. This could lead to remote code execution if critical files (such as configuration files, executables, or libraries) are replaced with malicious content. The advisory from the Node.js Security Working Group categorizes this as a high-severity vulnerability [1][4].

Mitigation

The vulnerability has been patched in Bower version 1.8.8. Users are strongly advised to upgrade immediately. No workarounds have been published. The issue was reported by security researcher skyn3t and fixed by Adam Stankiewicz of the Bower core team [1][2][3].

References
  1. Severe security vulnerability in Bower’s zip archive extraction
  2. NVD - CVE-2019-5484
  3. security-wg/vuln/npm/487.json at main · nodejs/security-wg
  4. CVE-2019-5484 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bowernpm
< 1.8.81.8.8

Affected products

3

Patches

1
45c6bfa86f6e

Fix .tar.gz extract vulnerability

https://github.com/bower/bowerAdam StankiewiczJan 23, 2019via ghsa
commit
2 files changed · +3 3
  • lib/util/extract.js+2 2 modified
    @@ -130,8 +130,8 @@ function extractGz(archive, dst) {
     return deferred.promise;
 }
 
-function isSymlink(entry) {
-    return entry.type === 'SymbolicLink';
+function isSymlink(_, entry) {
+    return entry.type === 'symlink';
 }
 
 function filterSymlinks(entry) {
  • package.json+1 1 modified
    @@ -94,7 +94,7 @@
     "test": "grunt test",
     "ci": "grunt travis",
     "coveralls": "coveralls",
-    "prepublish": "in-publish && echo 'You need to use \"grunt publish\" to publish bower' && false || not-in-publish",
+    "prepublishOnly": "in-publish && echo 'You need to use \"grunt publish\" to publish bower' && false || not-in-publish",
     "format": "prettier --write --single-quote --tab-width 4 '**/*.js'",
     "precommit": "lint-staged"
   },

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.