Bug 1328413 (CVE-2016-3956) - CVE-2016-3956 npm: bearer token leak to non-registry hosts
Summary: CVE-2016-3956 npm: bearer token leak to non-registry hosts
Alias: CVE-2016-3956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1328414 1328415 1328416
Blocks: Embargoed1328418
TreeView+ depends on / blocked
Reported: 2016-04-19 10:51 UTC by Andrej Nemec
Modified: 2021-02-17 04:02 UTC (History)
5 users (show)

Fixed In Version: npm 3.8.3, npm 2.15.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-04-27 09:33:26 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2016-04-19 10:51:14 UTC
The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install.

This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

External references:


Comment 1 Andrej Nemec 2016-04-19 10:51:55 UTC
Created npm tracking bugs for this issue:

Affects: fedora-all [bug 1328414]
Affects: epel-6 [bug 1328415]
Affects: epel-7 [bug 1328416]

Comment 3 Tomas Hoger 2016-04-27 09:33:26 UTC
This is only relevant to use cases where npm is used with authentication - private repos or workstations form which developers publish new package versions.  Common uses case when npm is used to install publicly available packages are not affected.

Comment 4 Andrej Nemec 2016-07-04 07:46:41 UTC
This issue has a CVE now:


Note You need to log in before you can comment on or make changes to this bug.