Vulnerability identifier: #VU25736

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-354

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
yarn
Web applications / Modules and components for CMS

Vendor: Yarn

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the software of the affected products does not check the integrity. A remote attacker can pollute yarn cache via a crafted yarn.lock file and place a malicious package into cache under any name/version, bypassing both integrity and hash checks in yarn.lock so that any future installs of that package will install the fake version (regardless of integrity and hashes).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

yarn: 0.2.0 - 1.18.0

---

External links
http://snyk.io/vuln/SNYK-JS-YARN-557182
http://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
http://hackerone.com/reports/703138

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.