Vulnerabilities > Yarnpkg

DATE CVE VULNERABILITY TITLE RISK
2024-02-04 CVE-2021-4435 Untrusted Search Path vulnerability in Yarnpkg Yarn
An untrusted search path vulnerability was found in Yarn.
local
low complexity
yarnpkg CWE-426
7.8
2020-03-15 CVE-2019-15608 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Yarnpkg Yarn
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache.
network
high complexity
yarnpkg CWE-367
5.9
2020-02-24 CVE-2020-8131 Path Traversal vulnerability in Yarnpkg Yarn
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
network
high complexity
yarnpkg CWE-22
7.5
2019-12-16 CVE-2019-10773 Link Following vulnerability in Yarnpkg Yarn
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys.
local
low complexity
yarnpkg CWE-59
7.8
2019-07-30 CVE-2019-5448 Cleartext Transmission of Sensitive Information vulnerability in Yarnpkg Yarn
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
network
high complexity
yarnpkg CWE-319
8.1
2019-05-16 CVE-2018-12556 Improper Verification of Cryptographic Signature vulnerability in Yarnpkg Website 20180605
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
network
high complexity
yarnpkg CWE-347
5.9