CVE-2026-0775 Overview
CVE-2026-0775 is a local privilege escalation vulnerability affecting npm cli installations. This vulnerability allows local attackers to escalate privileges on affected systems by exploiting incorrect permission assignments in how npm handles module loading. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules where the application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.
Critical Impact
Local attackers with low-privileged access can escalate to higher privileges and execute arbitrary code in the context of another user, potentially compromising system integrity and confidentiality.
Affected Products
- npm cli (specific versions not disclosed in advisory)
Discovery Timeline
- 2026-01-23 - CVE-2026-0775 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-0775
Vulnerability Analysis
This vulnerability is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw stems from npm cli's insecure handling of module loading paths, where modules are loaded from locations that lack proper access controls. When npm cli processes modules, it fails to verify that the module source directory has appropriate permissions, allowing a local attacker to place malicious code in these unsecured locations.
The attack requires local access and low privileges initially, but exploitation complexity is considered high due to the need to position malicious modules in the correct location and timing. However, successful exploitation results in high impact to confidentiality, integrity, and availability as the attacker gains the ability to execute code with elevated privileges.
Root Cause
The root cause of this vulnerability is incorrect permission assignment for critical resources during the module loading process. npm cli does not adequately validate or restrict the permissions on directories from which it loads modules, creating an opportunity for privilege escalation through malicious module injection.
Attack Vector
The attack is local in nature and follows this general pattern:
- Attacker gains initial low-privileged access to a system with npm cli installed
- Attacker identifies unsecured module loading paths used by npm cli
- Attacker places malicious module code in the unsecured location
- When a higher-privileged user or process runs npm cli, the malicious module is loaded
- Arbitrary code executes in the context of the target user, achieving privilege escalation
The vulnerability was tracked by Zero Day Initiative as ZDI-CAN-25430 and published as ZDI-26-043.
Detection Methods for CVE-2026-0775
Indicators of Compromise
- Unexpected files or modules appearing in npm's module loading directories
- Unusual processes spawned by npm or node with elevated privileges
- File permission changes on npm-related directories or configuration files
- Anomalous user activity patterns involving npm operations
Detection Strategies
- Monitor file system changes in npm's module directories for unauthorized modifications
- Implement file integrity monitoring (FIM) on critical npm installation paths
- Audit process creation events for unexpected privilege escalation patterns involving npm or node processes
- Review system logs for abnormal npm cli execution by privileged accounts
Monitoring Recommendations
- Enable detailed logging for npm operations and module loading events
- Configure endpoint detection and response (EDR) solutions to alert on suspicious module loading behavior
- Establish baselines for normal npm usage patterns and alert on deviations
- Monitor for TOCTOU-style attacks targeting module loading paths
How to Mitigate CVE-2026-0775
Immediate Actions Required
- Audit file permissions on all npm module directories and ensure proper access controls
- Restrict write access to npm installation and module directories to administrative users only
- Review and limit which users have the ability to execute npm cli on critical systems
- Apply vendor patches when available from npm
Patch Information
At the time of publication, patch information has not been disclosed. Organizations should monitor the Zero Day Initiative Advisory ZDI-26-043 and npm's official security advisories for patch availability and specific version remediation guidance.
Workarounds
- Restrict npm module directory permissions to prevent unauthorized writes using appropriate file system ACLs
- Run npm cli with the principle of least privilege, avoiding execution as root or administrator
- Consider using containerized environments to isolate npm operations from the host system
- Implement application whitelisting to prevent unauthorized modules from being loaded
# Example: Secure npm module directory permissions
# Check current permissions on npm global modules
ls -la $(npm root -g)
# Restrict write access to root only (adjust path as needed)
sudo chown -R root:root $(npm root -g)
sudo chmod -R 755 $(npm root -g)
# Verify npm prefix configuration
npm config get prefix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
