CVE-2020-8131

HIGH

Yarn < 1.22.0 - Arbitrary Filesystem Write via Malicious Package Installation

Title source: llm
STIX 2.1

Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/730239
Patch, Third Party Advisory x_refsource_confirm
https://github.com/yarnpkg/yarn/pull/7831

Scores

CVSS v3 7.5
EPSS 0.0503
EPSS Percentile 91.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (2)
npm/yarn 0 - 1.22.0npm
yarnpkg/yarn < 1.21.1
Published Feb 24, 2020
Tracked Since Feb 18, 2026