CVE-2013-4116 in Node Packaged Modules
Summary
by MITRE
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2026
The vulnerability identified as CVE-2013-4116 affects the Node Packaged Modules (npm) package manager version 1.3.2 and earlier, representing a critical local privilege escalation and file overwrite vulnerability. This flaw exists within the lib/npm.js component of npm's architecture, specifically during the archive unpacking process where temporary files are created with predictable naming conventions. The vulnerability stems from insufficient security measures in the temporary file handling mechanism, allowing malicious actors with local access to manipulate the system through symlink attacks. Attackers can exploit this weakness by creating symbolic links that point to sensitive target files, then triggering the npm archive extraction process which will overwrite these targets with malicious content. This represents a classic symlink attack pattern that has been documented in various security contexts, particularly in Unix-like operating systems where predictable temporary file names create exploitable conditions.
The technical implementation of this vulnerability involves the predictable naming of temporary files during npm's archive unpacking operations. When npm extracts compressed archives, it creates temporary files using hardcoded or easily guessable names that do not incorporate sufficient randomness or security measures. The flaw manifests when these temporary files are processed in a manner that does not properly validate the target paths or ensure that the files being created are indeed the expected temporary files. During the extraction process, if an attacker has already established symbolic links with the same predictable names in the temporary directory, the archive extraction will follow these links and write content to locations chosen by the attacker rather than the intended temporary locations. This creates a race condition scenario where the attacker can effectively control where files are written on the system, potentially overwriting critical system files or configuration data. The vulnerability is classified under CWE-362, which specifically addresses race conditions, and aligns with ATT&CK technique T1059.001 for executing malicious code through command-line interfaces.
The operational impact of CVE-2013-4116 extends beyond simple file overwrites to encompass potential privilege escalation and system compromise scenarios. Local users who can execute npm commands or trigger the vulnerable archive extraction process gain the ability to manipulate files with permissions equal to or greater than their own access level. In environments where npm is used with elevated privileges or where users have write access to system directories, this vulnerability could enable attackers to install malicious software, modify system configurations, or corrupt critical application data. The vulnerability is particularly dangerous in automated build environments or continuous integration systems where npm operations are frequently executed with elevated permissions. Additionally, the predictable nature of temporary file names makes this vulnerability relatively easy to exploit compared to more complex attacks requiring social engineering or additional reconnaissance. The attack vector is straightforward and requires minimal prerequisites, making it a significant concern for organizations that rely on npm for package management and dependency resolution. Organizations using vulnerable versions of npm should immediately implement patch management procedures to upgrade to version 1.3.3 or later, which includes proper temporary file handling mechanisms that prevent symlink-based attacks by using secure randomization or atomic file operations. The fix typically involves implementing proper validation of temporary file paths and ensuring that file operations are performed in secure temporary directories with appropriate permissions.