CVE-2019-15608
TOCTOU (Time-of-Check to Time-of-Use) vulnerability in yarn (npm)
What is CVE-2019-15608 About?
This vulnerability is a TOCTOU flaw in `yarn` versions prior to 1.19.0, affecting package integrity validation. The hash is computed before writing to cache but not re-computed when reading, enabling a cache pollution attack. This can lead to integrity compromise, and exploitation likely requires local access and precise timing.
Affected Software
Technical Details
The yarn package manager, in versions before 1.19.0, is vulnerable to a TOCTOU (Time-of-Check to Time-of-Use) attack during its package integrity validation process. When a package is downloaded, yarn computes its hash before writing it to the local cache. However, when the package is subsequently read from the cache, the integrity hash is not re-verified. This creates a time window during which an attacker, particularly one with local access to the system or network access that can intercept or modify cache files, can swap the legitimate package with a malicious one in the cache after the initial hash check but before it is used. This cache pollution attack allows the attacker to introduce arbitrary code into the build process, as yarn will then serve the tempered package believing it to be legitimate.
What is the Impact of CVE-2019-15608?
Successful exploitation may allow attackers to inject malicious code into dependencies, compromise developer environments, distribute tainted software, or undermine the integrity of software build processes.
What is the Exploitability of CVE-2019-15608?
Exploitation of this TOCTOU vulnerability is of high complexity, requiring precise timing and often involving local access or significant network control. An attacker would need to intercept or modify the package file in the cache directory after its initial integrity check but before its actual use. No specific authentication is required at the application level, but local file system access is typically a prerequisite. This is generally a local attack, but can be a remote attack if an adversary can manipulate network traffic to control cache file contents. Prerequisites include a user performing package operations with a vulnerable version of yarn and an attacker having the means to tamper with the local cache directory or network stream. The likelihood of exploitation increases in shared development environments or CI/CD pipelines where cache manipulation might be feasible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-15608?
Available Upgrade Options
- yarn
- <1.19.0 → Upgrade to 1.19.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://nvd.nist.gov/vuln/detail/CVE-2019-15608
- https://hackerone.com/reports/703138
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://osv.dev/vulnerability/GHSA-hjxc-462x-x77j
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
What are Similar Vulnerabilities to CVE-2019-15608?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2020-29377 , CVE-2018-1000132 , CVE-2017-9110 , CVE-2016-10255
