[Pkg-javascript-devel] Bug#1126756: npm: CVE-2026-0775
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 1 08:46:37 GMT 2026
Source: npm
Version: 9.2.0~ds2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for npm.
CVE-2026-0775[0]:
| npm cli Incorrect Permission Assignment Local Privilege Escalation
| Vulnerability. This vulnerability allows local attackers to escalate
| privileges on affected installations of npm cli. An attacker must
| first obtain the ability to execute low-privileged code on the
| target system in order to exploit this vulnerability. The specific
| flaw exists within the handling of modules. The application loads
| modules from an unsecured location. An attacker can leverage this
| vulnerability to escalate privileges and execute arbitrary code in
| the context of a target user. Was ZDI-CAN-25430.
There seems to be disagreement on the issue, as upstream considers
this as working as designed but ZDI asked to reconsider the
assessment.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-0775
https://www.cve.org/CVERecord?id=CVE-2026-0775
[1] https://www.zerodayinitiative.com/advisories/ZDI-26-043/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list