CVE-2016-3956

high

Published 2016-07-02 · Modified 2026-02-04

CVSS v3

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2

5.0

VIR risk

7.5

Description

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-3956

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www-01.ibm.com/support/docview.wss?uid=swg21980827

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-3956.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	fixed	`5.8.0+ds-2`
debian	bullseye	fixed	`5.8.0+ds-2`
debian	forky	fixed	`5.8.0+ds-2`
debian	sid	fixed	`5.8.0+ds-2`
debian	trixie	fixed	`5.8.0+ds-2`

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	npm	`<2.15.1`	`2.15.1`
npm	npm	`>=3.0.0,<3.8.3`	`3.8.3`

Application impact

Vendor	Product	Versions	Fixed
nodejs	node.js	`0.12.7`
nodejs	node.js	`0.12.8`
ibm	sdk	`{"endIncluding":"1.1.0.20"}`
nodejs	node.js	`0.10.0`
nodejs	node.js	`0.10.1`
nodejs	node.js	`0.10.2`
nodejs	node.js	`0.10.3`
nodejs	node.js	`0.10.4`
nodejs	node.js	`0.10.5`
nodejs	node.js	`0.10.6`
nodejs	node.js	`0.10.7`
nodejs	node.js	`0.10.8`
nodejs	node.js	`0.10.9`
nodejs	node.js	`0.10.10`
nodejs	node.js	`0.10.11`
nodejs	node.js	`0.10.12`
nodejs	node.js	`0.10.13`
nodejs	node.js	`0.10.14`
nodejs	node.js	`0.10.15`
nodejs	node.js	`0.10.16`
nodejs	node.js	`0.10.16-isaacs-manual`
nodejs	node.js	`0.10.17`
nodejs	node.js	`0.10.18`
nodejs	node.js	`0.10.19`
nodejs	node.js	`0.10.20`
nodejs	node.js	`0.10.21`
nodejs	node.js	`0.10.22`
nodejs	node.js	`0.10.23`
nodejs	node.js	`0.10.24`
nodejs	node.js	`0.10.25`
nodejs	node.js	`0.10.26`
nodejs	node.js	`0.10.27`
nodejs	node.js	`0.10.28`
nodejs	node.js	`0.10.29`
nodejs	node.js	`0.10.30`
nodejs	node.js	`0.10.31`
nodejs	node.js	`0.10.32`
nodejs	node.js	`0.10.33`
nodejs	node.js	`0.10.34`
nodejs	node.js	`0.10.35`
nodejs	node.js	`0.10.36`
nodejs	node.js	`0.10.37`
nodejs	node.js	`0.10.38`
nodejs	node.js	`0.10.39`
nodejs	node.js	`0.10.40`
nodejs	node.js	`0.10.41`
nodejs	node.js	`0.12.0`
nodejs	node.js	`0.12.1`
nodejs	node.js	`0.12.2`
nodejs	node.js	`0.12.3`
nodejs	node.js	`0.12.4`
nodejs	node.js	`0.12.5`
nodejs	node.js	`0.12.6`
nodejs	node.js	`0.12.9`
nodejs	node.js	`4.0.0`
nodejs	node.js	`4.1.0`
nodejs	node.js	`4.1.1`
nodejs	node.js	`4.1.2`
nodejs	node.js	`4.2.0`
nodejs	node.js	`4.2.1`
nodejs	node.js	`4.2.2`
nodejs	node.js	`4.2.3`
nodejs	node.js	`4.2.4`
nodejs	node.js	`4.2.5`
nodejs	node.js	`4.2.6`
nodejs	node.js	`4.3.0`
nodejs	node.js	`4.3.1`
nodejs	node.js	`4.3.2`
nodejs	node.js	`4.4.0`
nodejs	node.js	`4.4.1`
nodejs	node.js	`5.0.0`
nodejs	node.js	`5.1.0`
nodejs	node.js	`5.1.1`
nodejs	node.js	`5.2.0`
nodejs	node.js	`5.3.0`
nodejs	node.js	`5.4.0`
nodejs	node.js	`5.4.1`
nodejs	node.js	`5.5.0`
nodejs	node.js	`5.6.0`
nodejs	node.js	`5.7.0`
nodejs	node.js	`5.7.1`
nodejs	node.js	`5.8.0`
nodejs	node.js	`5.8.1`
nodejs	node.js	`5.9.0`
nodejs	node.js	`5.9.1`
npmjs	npm	`{"endExcluding":"2.15.1"}`	`2.15.1`

References

CWEs

CWE-200

Verify integrity in audit chain (admin only). AS-IS.