CVE-2019-5448

HIGH

Yarn < 1.17.3 - Cleartext Transmission

Title source: rule

Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

References (3)

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/640904

[Exploit, Third Party Advisory] https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

View Exploit ZIP pw:eip

[Vendor Advisory] https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Scores

CVSS v3 8.1

EPSS 0.0011

EPSS Percentile 28.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-319 CWE-311

Status published

Products (2)

npm/yarn 0 - 1.17.3npm

yarnpkg/yarn < 1.17.3

Published Jul 30, 2019

Tracked Since Feb 18, 2026