Source: npm Version: 9.2.0~ds2-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for npm. CVE-2026-0775[0]: | npm cli Incorrect Permission Assignment Local Privilege Escalation | Vulnerability. This vulnerability allows local attackers to escalate | privileges on affected installations of npm cli. An attacker must | first obtain the ability to execute low-privileged code on the | target system in order to exploit this vulnerability. The specific | flaw exists within the handling of modules. The application loads | modules from an unsecured location. An attacker can leverage this | vulnerability to escalate privileges and execute arbitrary code in | the context of a target user. Was ZDI-CAN-25430. There seems to be disagreement on the issue, as upstream considers this as working as designed but ZDI asked to reconsider the assessment. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-0775 https://www.cve.org/CVERecord?id=CVE-2026-0775 [1] https://www.zerodayinitiative.com/advisories/ZDI-26-043/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
