Description

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. When npm is executed all logs are written to a file named npm-debug.log in the current working directory.

It was confirmed that this npm log file is publicly accessible in this directory. This log file contains potentially sensitive information and it's recommended to restrict access to this file.

Remediation

You should restrict access to the npm-debug.log file by adjusting your web server configuration. You can also run npm with the command line arguments -loglevel silent to prevent the log file from being created

npm install ToInstall -loglevel silent

References

npm-config

How to avoid npm-debug.log creation

npm-debug-log-cleaner

Related Vulnerabilities

PHP opcache-gui publicly accessible

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3946)

rack-mini-profiler environment variables disclosure

SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability

WordPress Plugin iThemes Security (formerly Better WP Security) Multiple Vulnerabilities (3.6.3)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Information Disclosure Test Files