CVE-2019-10773
Publication date 16 December 2019
Last updated 26 August 2025
Ubuntu priority
Description
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-yarnpkg | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Other references
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://snyk.io/vuln/SNYK-JS-YARN-537806
- https://snyk.io/vuln/SNYK-JS-YARN-537806,
- https://www.cve.org/CVERecord?id=CVE-2019-10773