Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Published: 2026-01-23
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

A flaw in npm CLI arises when the package manager loads modules from an unsecured location and applies incorrect permission assignments. This permits a local adversary who already has the ability to run low‑privileged code on the system to elevate privileges and execute arbitrary code with the effective rights of the target user. The vulnerability could compromise confidentiality, integrity, and availability of user data and system resources.

Affected Systems

The issue affects installations of the npm command‑line interface. No specific version ranges were supplied, so all current npm CLI deployments are potentially vulnerable until a fix is applied.

Risk and Exploitability

The Common Vulnerability Scoring System rates the defect at 7.0, labeling it as a moderate severity flaw. Exploit probability, per the Exploit Prediction Scoring System, is below 1%, indicating that attacks are considered unlikely at present. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, further limiting the likelihood of widespread exploitation. The threat surface is local; an attacker requires prior ability to execute code at low privilege to launch an escalation attempt. The combination of moderate CVSS, low EPSS, and lack of active exploitation suggests a measured but non‑negligible risk for environments without immediate mitigation.

Generated by OpenCVE AI on April 18, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether a patched npm CLI release is available and upgrade immediately once one is released.
  • If an upgrade is not yet possible, restrict the locations from which npm can load modules by configuring npm to use only secure, permission‑controlled directories.
  • Enforce correct permission settings on the npm executable and its associated node_modules directories to prevent unauthorized privilege changes.
  • Apply the principle of least privilege when executing npm: run it in a strictly limited user context and avoid unnecessary elevated permissions.
  • Monitor system logs for abnormal module loading or permission‑changing activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3966-f6p6-2qr9 Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
History

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Npm
Npm npm
Vendors & Products Npm
Npm npm

Fri, 23 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Title npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability
Weaknesses CWE-732
References
Metrics cvssV3_0

{'score': 7, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Npm Npm
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:25.563Z

Reserved: 2026-01-08T22:50:45.465Z

Link: CVE-2026-0775

cve-icon Vulnrichment

Updated: 2026-01-23T19:16:42.820Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T04:16:04.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0775

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-23T03:29:14Z

Links: CVE-2026-0775 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses