Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

npm — Vulnerabilities & Security Advisories 25

Browse all 25 CVE security advisories affecting npm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

npm serves as the default package manager for the JavaScript ecosystem, facilitating the distribution and installation of open-source code for Node.js applications. Its central role in software supply chains makes it a critical infrastructure component, though this prominence has attracted significant security scrutiny. Historically, vulnerabilities within the npm registry and associated tools have frequently involved remote code execution, cross-site scripting, and privilege escalation, often stemming from insecure dependency resolution or malicious package injection. Notable incidents include the compromise of popular libraries like event-stream, which demonstrated how attackers could insert backdoors into widely used modules, affecting downstream projects. With approximately 25 recorded CVEs, the platform continues to face challenges related to supply chain integrity. These incidents highlight the risks inherent in centralized dependency management, prompting ongoing efforts to enhance verification processes and mitigate the impact of compromised packages on global development workflows.

Top products by npm: cli node-tar arborist npm mosca cached-path-relative takeapeek tianma-static knightjs @claviska/jquery-minicolors mind-elixir erxes textangular vditor iziModal npm @fastify/oauth2
CVE IDTitleCVSSSeverityPublished
CVE-2026-0775 npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability — cliCWE-732 7.8 -2026-01-23
CVE-2023-31999 Fastify 跨站请求伪造漏洞 — @fastify/oauth2 7.1 -2023-07-04
CVE-2021-32851 jQuery MiniColors vulnerable to Cross-site Scripting — mind-elixirCWE-79 6.1 Medium2023-02-20
CVE-2021-32860 iziModal vulnerable to Cross-site Scripting — iziModalCWE-79 6.1 Medium2023-02-20
CVE-2021-32855 vditor vulnerable to Cross-site Scripting — vditorCWE-79 6.1 Medium2023-02-20
CVE-2021-32854 textAngular text editor vulnerable to Cross-site Scripting — textangularCWE-79 6.1 Medium2023-02-20
CVE-2021-32853 Erxes vulnerable to Cross-site Scripting — erxesCWE-79 6.1 Medium2023-02-20
CVE-2021-32850 jQuery MiniColors vulnerable to Cross-site Scripting — @claviska/jquery-minicolorsCWE-79 6.1 Medium2023-02-20
CVE-2022-29244 npm packing does not respect root-level ignore files in workspaces — npmCWE-200 7.5 -2022-06-13
CVE-2021-39135 UNIX Symbolic Link (Symlink) Following in @npmcli/arborist — arboristCWE-61 8.2 High2021-08-31
CVE-2021-39134 UNIX Symbolic Link (Symlink) Following in @npmcli/arborist — arboristCWE-61 8.2 High2021-08-31
CVE-2021-37713 Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization — node-tarCWE-22 8.2 High2021-08-31
CVE-2021-37701 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links — node-tarCWE-22 8.2 High2021-08-31
CVE-2021-37712 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links — node-tarCWE-22 8.2 High2021-08-31
CVE-2021-32804 Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization — node-tarCWE-22 8.2 High2021-08-03
CVE-2021-32803 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning — node-tarCWE-22 8.2 High2021-08-03
CVE-2020-15095 Sensitive information exposure through logs in npm cli — cliCWE-532 4.4 Medium2020-07-07
CVE-2019-16777 Arbitrary File Overwrite in npm CLI — cliCWE-22 7.7 High2019-12-13
CVE-2019-16776 Unauthorized File Access in npm CLI before before version 6.13.3 — cliCWE-22 7.7 High2019-12-13
CVE-2019-16775 Unauthorized File Access in npm CLI before before version 6.13.3 — cliCWE-61 7.7 High2019-12-13
CVE-2018-16474 tianma-static module 跨站脚本漏洞 — tianma-staticCWE-79 6.1 -2018-11-06
CVE-2018-16473 takeapeek module 路径遍历漏洞 — takeapeekCWE-22 5.3 -2018-11-06
CVE-2018-16475 Knightjs 路径遍历漏洞 — knightjsCWE-22 7.5 -2018-11-06
CVE-2018-16472 cached-path-relative 安全漏洞 — cached-path-relativeCWE-400 7.5 -2018-11-06
CVE-2018-11615 npm mosca 安全漏洞 — npm moscaCWE-20 7.5 -2018-08-30

This page lists every published CVE security advisory associated with npm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.