CVE-2019-10773
Arbitrary Symlink Creation vulnerability in yarn (npm)
What is CVE-2019-10773 About?
Yarn versions before 1.21.1 are vulnerable to arbitrary symlink creation through specially crafted 'bin' keys in package install functionality. This allows an attacker to generate arbitrary symlinks on the host filesystem. The impact can range from overwriting existing files to denial of service, and exploitation is relatively easy given a malicious package.
Affected Software
Technical Details
Yarn versions prior to 1.21.1 are vulnerable to arbitrary symlink creation during the package installation process. This vulnerability arises when the package.json of a dependency contains a specially crafted bin key. The bin field, intended for defining executable binaries, can be manipulated by an attacker to specify paths outside the package's intended installation directory. When Yarn processes such a malicious bin entry during the yarn install command, it can be coerced into creating symbolic links pointing to arbitrary locations on the host filesystem. This means an attacker can link to system files, overwrite existing files if user permissions allow, or create dangling symlinks, potentially leading to privilege escalation, denial of service, or arbitrary file manipulation.
What is the Impact of CVE-2019-10773?
Successful exploitation may allow attackers to create or overwrite arbitrary files on the filesystem through symbolic links, leading to denial of service, data integrity issues, or potentially privilege escalation.
What is the Exploitability of CVE-2019-10773?
Exploitation of this vulnerability is of low complexity. An attacker would need to publish a malicious npm package containing a specially crafted bin key in its package.json. A victim then needs to incorporate this malicious package as a dependency and run yarn install. There are no explicit authentication requirements, but the victim must have sufficient filesystem permissions to create symlinks or overwrite files in the targeted locations. This is generally a local attack in the sense that the malicious package is installed on the victim's system, but it can be initiated remotely via package registries. The risk factors that increase exploitation likelihood include developers installing untrusted or unvetted packages, or projects with a large dependency tree where a sub-dependency could be compromised.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10773?
Available Upgrade Options
- yarn
- <1.22.0 → Upgrade to 1.22.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-5xf4-f2fq-f69j
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://github.com/yarnpkg/yarn/pull/7755
- https://access.redhat.com/errata/RHSA-2020:0475
What are Similar Vulnerabilities to CVE-2019-10773?
Similar Vulnerabilities: CVE-2018-7649 , CVE-2017-7690 , CVE-2019-14867 , CVE-2020-5231 , CVE-2020-13692
