Description
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
References (7)
Core 7
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
Patch, Third Party Advisory x_refsource_misc
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
Exploit, Third Party Advisory x_refsource_misc
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0475
Scores
CVSS v3
7.8
EPSS
0.0055
EPSS Percentile
68.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-59
Status
published
Products (2)
npm/yarn
0 - 1.22.0npm
yarnpkg/yarn
< 1.21.1
Published
Dec 16, 2019
Tracked Since
Feb 18, 2026