CVE-2019-5448
Missing Encryption of Sensitive Data vulnerability in yarn (npm)
What is CVE-2019-5448 About?
Yarn before 1.17.3 is susceptible to Missing Encryption of Sensitive Data, as HTTP URLs in lockfiles can lead to unencrypted authentication details being transmitted over the network. This exposes sensitive information to potential eavesdropping, making it relatively easy to exploit through network interception. Successful exploitation allows attackers to capture and potentially reuse authentication credentials.
Affected Software
Technical Details
The vulnerability stems from Yarn's handling of lockfiles, specifically when they reference packages or resources via HTTP URLs. When a user's yarn.lock file contains such HTTP URLs, Yarn's package fetching mechanism may attempt to retrieve these resources over an unencrypted channel. If these resources require or include authentication data (e.g., tokens, session cookies, or basic authentication headers), this data will be sent in plaintext across the network. An attacker positioned to intercept network traffic (e.g., via a man-in-the-middle attack on an insecure network) can capture this sensitive information. The lack of encryption for authentication data during transmission makes this a critical exposure.
What is the Impact of CVE-2019-5448?
Successful exploitation may allow attackers to intercept and acquire sensitive authentication data, potentially leading to unauthorized access, impersonation, or compromise of user accounts and associated resources.
What is the Exploitability of CVE-2019-5448?
Exploitation of this vulnerability requires an attacker to be in a position to intercept network traffic between the vulnerable Yarn client and the HTTP resource server. This typically involves a man-in-the-middle (MITM) attack, which can be accomplished on insecure Wi-Fi networks, by compromising network infrastructure, or through DNS spoofing. No authentication or specific privileges are required on the target system itself; the attack is remote and passive, relying on network monitoring. The complexity is moderate, depending on the attacker's ability to position themselves on the network path. The likelihood of exploitation increases in environments with prevalent unsecured HTTP communication or compromised network segments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-5448?
Available Upgrade Options
- yarn
- <1.17.3 → Upgrade to 1.17.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://osv.dev/vulnerability/GHSA-wqfc-cr59-h64p
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update
- https://hackerone.com/reports/640904
- https://hackerone.com/reports/640904
- https://nvd.nist.gov/vuln/detail/CVE-2019-5448
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
What are Similar Vulnerabilities to CVE-2019-5448?
Similar Vulnerabilities: CVE-2016-2183 , CVE-2017-15286 , CVE-2019-15820 , CVE-2020-14981 , CVE-2021-20300
