7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-3956

GHSA ID

GHSA-m5h6-hr3q-22h5

EPSS Score

0.84318%

CWE

CWE-200

Published

7/31/2018

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-3956

CVE-2016-3956:
npm Token Leak in npm

Affected versions of the npm package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry.

An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.

This compromised token could be used to do anything that the user could do, including publishing new packages.

Recommendation

Update npm with npm install npm@latest -g
Revoke your Tokens
Enable Two-Factor Authentication

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-3956

GHSA ID

GHSA-m5h6-hr3q-22h5

EPSS Score

0.84318%

CWE

CWE-200

Published

7/31/2018

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
npm	npm	<= 2.15.0	2.15.1
npm	npm	>= 3.0.0, <= 3.8.2	3.8.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from npm CLI sending bearer tokens to all HTTP endpoints. The key functions identified are:

mapToRegistry: Directly responsible for resolving registry URLs and attaching credentials. Pre-patch versions lacked host validation (fixed via scopeAuth helper in commits f67ecad/fea8cc9).
getCredentialsByURI: Provided credentials without context-aware filtering. The 'alwaysAuth' logic was applied too broadly before registry host validation checks were added. The commit diffs show critical changes to these functions, including the introduction of host-matching logic and credential scoping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t** `npm` p**k*** in*lu** t** ***r*r tok*n o* t** lo**** in us*r in *v*ry r*qu*st m*** *y t** *LI, *v*n i* t** r*qu*st is not *ir**t** tow*r*s t** us*r's **tiv* r**istry. *n *tt**k*r *oul* *r**t* *n *TTP s*rv*r to *oll**t tok*n

Reasoning

T** vuln*r**ility st*mm** *rom npm *LI s*n*in* ***r*r tok*ns to *ll *TTP *n*points. T** k*y *un*tions i**nti*i** *r*: *. m*pToR**istry: *ir**tly r*sponsi*l* *or r*solvin* r**istry URLs *n* *tt***in* *r***nti*ls. Pr*-p*t** v*rsions l**k** *ost v*li**t

7.5

Basic Information

Concerned about an active attack path?

CVE-2016-3956: npm Token Leak in npm

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-3956:
npm Token Leak in npm

Vulnerability Intelligence
Miggo AI