7 matches found
CVE-2019-15608
The CVE-2019-15608 issue is a TOCTOU race condition in Yarn where the package hash is computed before writing to the cache and not recomputed on read, enabling potential cache pollution. Connected sources confirm this affects Yarn versions older than 1.19.0 and that a fix exists in 1.19.0. Photon...
CVE-2020-8131
CVE-2020-8131 describes an arbitrary filesystem write vulnerability in Yarn before 1.22.0 , enabling an attacker to write to arbitrary paths and potentially achieve arbitrary code execution by coercing the user to install a malicious package. Affected component: yarn (versions prior to 1.22.0). R...
CVE-2019-10773
The CVE-2019-10773 issue affects Yarn prior to 1.21.1, where the package install functionality can be abused via specially crafted bin keys to generate arbitrary symlinks on the host filesystem. This can lead to existing files being overwritten depending on user permissions. The vulnerability ste...
CVE-2019-5448
CVE-2019-5448 affects Yarn; the vulnerability arises from HTTP URLs in a Yarn lockfile that can cause unencrypted authentication data to be transmitted. The connected advisories confirm Photon OS and Nessus plugins flag Yarn as affected and advise updating the Yarn package to mitigate. The exact ...
CVE-2021-4435
CVE-2021-4435 describes an untrusted search path vulnerability in Yarn. The issue can allow execution of malicious commands when a victim runs certain Yarn commands in a directory containing attacker-controlled content. Impact details in the NVD entry show a high-severity, local attack with requi...
CVE-2025-8262
The IBM Watsonx BI bulletin confirms CVE-2025-8262 affects yarnpkg Yarn up to 1.22.22, specifically the function explodeHostedGitFragment in src/resolvers/exotics/hosted-git-resolver.js. The issue arises from inefficient regular expression complexity, enabling a remote attack. A patch exists (com...
CVE-2025-9308
CVE-2025-9308 affects yarnpkg Yarn up to 1.22.22. The vulnerability is in the function setOptions of src/util/request-manager.js, where manipulation leads to inefficient regular expression complexity. Local access is required. The advisory consistently indicates the issue affects products that ar...