The npm CLI is the command line client that allows developers to install and publish packages to npm registries.
- Remote Code Execution (RCE): Since the npm CLI is a shell tool that is run on a developer’s machine, the bar for an RCE is higher than for other assets. We consider the following to be examples of unintended RCE:
- Arbitrary script execution that can break out of the
- Arbitrary code execution from a command that should not modify the package tree
- Authentication theft/disclosure, such as inappropriately sending authentication credentials intended for a given server to some other server
- Credentials (from the
.npmrc file) being leaked in logs
- Package integrity compromise, i.e., downloading something that does not match the integrity of
- Overwriting an executable that already exists with a globally installed package if
--force has not been set
- Social engineering
Code execution requiring social engineering or unlikely user interaction is typically not eligible for rewards.
- Local access
Vulnerabilities which require local system access, such as local credential storage issues.
- Arbitrary code execution in commands that modify the package tree
By default, commands that modify the package tree, such as
npm install, run the pre- and post-install scripts. If you would like to disable this, you can set the
- Upstream dependencies
Vulnerabilities that are due to a vulnerability in an upstream dependency are out of scope and should instead be disclosed to the upstream maintainers. We may make exceptions for vulnerabilities that we deem to have a substantial impact; however, issues should still be directed to the maintainers of the upstream dependency first.
Recently collected npm CLI bounties:
No vulnerabilities have been reported yet. Yours can be the first!