Information Exposure Vulnerability in npm CLI: Passwords Printed in Log Files

Information Exposure Vulnerability in npm CLI: Passwords Printed in Log Files

CVE-2020-15095 · MEDIUM Severity

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

Learn more about our User Device Pen Test.