Platform
nodejs
Component
cli
Fixed in
1.0.0
CVE-2016-10538 describes an Arbitrary File Access vulnerability affecting the cli package. This vulnerability allows an attacker to potentially write to arbitrary files on the system if they can create symbolic links at predictable temporary file locations used by the cli process. The vulnerability impacts versions prior to 1.0.0 and has been resolved with an update.
The core of this vulnerability lies in the cli package's use of predictable temporary file names for lock and log files. Specifically, the filenames are constructed using /tmp/ combined with the application name and extensions like .pid and .log. An attacker who can create symbolic links within the /tmp/ directory can manipulate these filenames. By creating a symbolic link pointing to a sensitive file (e.g., a configuration file, a database file, or even a system binary) that the user running the cli process has write access to, the attacker can effectively overwrite that file with malicious content. This could lead to privilege escalation, data breaches, or denial of service, depending on the targeted file and the attacker's goals.
This vulnerability was publicly disclosed in 2019. While no active exploitation campaigns have been definitively linked to CVE-2016-10538, the ease of exploitation and the potential impact make it a worthwhile target for attackers. There are publicly available proof-of-concept exploits demonstrating the vulnerability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.32% (55% percentile)
The primary mitigation for CVE-2016-10538 is to upgrade the cli package to version 1.0.0 or later, which addresses the predictable temporary file naming issue. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider restricting write access for the cli process user to only the necessary files and directories. Additionally, implement strict symbolic link restrictions within the /tmp/ directory to prevent unauthorized link creation. Monitor /tmp/ for unexpected symbolic links. After upgrading, verify the fix by attempting to create a symbolic link in /tmp/ and confirming that the cli process is unable to write to arbitrary files.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-10538 is a vulnerability in the cli package that allows attackers to write to arbitrary files if they can create symbolic links in the /tmp/ directory.
You are affected if you are using a version of the cli package prior to 1.0.0.
Upgrade the cli package to version 1.0.0 or later. Consider restricting write access for the cli process user as a temporary workaround.
While no active campaigns are definitively linked, the vulnerability's ease of exploitation makes it a potential target.
Refer to the package's release notes and associated security advisories for details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.