Lucene search
K

7 matches found

CVE
CVE
added 2020/03/15 5:8 p.m.119 views

CVE-2019-15608

The CVE-2019-15608 issue is a TOCTOU race condition in Yarn where the package hash is computed before writing to the cache and not recomputed on read, enabling potential cache pollution. Connected sources confirm this affects Yarn versions older than 1.19.0 and that a fix exists in 1.19.0. Photon...

5.9CVSS5.6AI score0.01783EPSS
CVE
CVE
added 2020/02/24 2:41 p.m.102 views

CVE-2020-8131

CVE-2020-8131 describes an arbitrary filesystem write vulnerability in Yarn before 1.22.0 , enabling an attacker to write to arbitrary paths and potentially achieve arbitrary code execution by coercing the user to install a malicious package. Affected component: yarn (versions prior to 1.22.0). R...

7.5CVSS7.7AI score0.05033EPSS
CVE
CVE
added 2019/12/16 7:31 p.m.95 views

CVE-2019-10773

The CVE-2019-10773 issue affects Yarn prior to 1.21.1, where the package install functionality can be abused via specially crafted bin keys to generate arbitrary symlinks on the host filesystem. This can lead to existing files being overwritten depending on user permissions. The vulnerability ste...

7.8CVSS7.5AI score0.01505EPSS
CVE
CVE
added 2019/07/30 8:15 p.m.84 views

CVE-2019-5448

CVE-2019-5448 affects Yarn; the vulnerability arises from HTTP URLs in a Yarn lockfile that can cause unencrypted authentication data to be transmitted. The connected advisories confirm Photon OS and Nessus plugins flag Yarn as affected and advise updating the Yarn package to mitigate. The exact ...

8.1CVSS7.8AI score0.00668EPSS
CVE
CVE
added 2024/02/04 7:16 p.m.78 views

CVE-2021-4435

CVE-2021-4435 describes an untrusted search path vulnerability in Yarn. The issue can allow execution of malicious commands when a victim runs certain Yarn commands in a directory containing attacker-controlled content. Impact details in the NVD entry show a high-severity, local attack with requi...

7.8CVSS7.6AI score0.00301EPSS
CVE
CVE
added 2025/07/28 7:2 a.m.57 views

CVE-2025-8262

The IBM Watsonx BI bulletin confirms CVE-2025-8262 affects yarnpkg Yarn up to 1.22.22, specifically the function explodeHostedGitFragment in src/resolvers/exotics/hosted-git-resolver.js. The issue arises from inefficient regular expression complexity, enabling a remote attack. A patch exists (com...

7.5CVSS7.2AI score0.007EPSS
CVE
CVE
added 2025/08/21 4:2 p.m.35 views

CVE-2025-9308

CVE-2025-9308 affects yarnpkg Yarn up to 1.22.22. The vulnerability is in the function setOptions of src/util/request-manager.js, where manipulation leads to inefficient regular expression complexity. Local access is required. The advisory consistently indicates the issue affects products that ar...

5.5CVSS7.1AI score0.00188EPSS