Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package yarn, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2019-5448 — CVSS 8.1 (high): Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication…
CVE-2019-10773 — CVSS 7.8 (high): In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using…
CVE-2021-4435 — CVSS 7.7 (high): An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled…
CVE-2020-8131 — CVSS 7.5 (high): Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead…
CVE-2019-15608 — CVSS 5.9 (medium): The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to…