Skip to content

Global node_modules Binary Overwrite in bin-links

low severity Published Sep 4, 2020

Package

npm bin-links (npm)

Affected versions

< 1.1.6

Patched versions

1.1.6

Description

Versions of bin-links prior to 1.1.6 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This behavior is still allowed in local installations.

Recommendation

Upgrade to version 1.1.6 or later.

References

GHSA ID

GHSA-v45m-2wcp-gg98