cvedb.io
CVE-2021-39135
HIGH · CVSS 8.2
EPSS exploitation probability: 0%
Published 2021-08-31T17:15:08.207 · Last modified 2026-06-17T04:03:08.153

Summary

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstal

Affected products

npmjs — arborist

Does this affect you?

Add your gear to cvedb and we'll alert you only when npmjs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.