CVE-2020-8131
Arbitrary File System Write vulnerability in yarn (npm)

Arbitrary File System Write No known exploit

What is CVE-2020-8131 About?

Yarn 1.21.1 and earlier versions contain an arbitrary filesystem write vulnerability. Attackers can write to any path on the filesystem, which can lead to arbitrary code execution if a user is coerced into installing a malicious package. This is a critical vulnerability with high impact and a moderate level of exploitation complexity, typically requiring user interaction.

Affected Software

yarn <1.22.0

Technical Details

The vulnerability in Yarn 1.21.1 and earlier arises from improper handling of package installation, specifically regarding where package contents are written to the filesystem. A malicious package could be crafted with specially designed files or scripts that, during the installation process, exploit a flaw in how Yarn determines target file paths. This flaw allows the malicious package to write files outside of its intended installation directory and into arbitrary locations on the filesystem. If an attacker can convince a user to install such a malicious package, they can achieve arbitrary filesystem writes. This can further lead to arbitrary code execution if the attacker can overwrite system binaries, inject malicious scripts into startup locations, or tamper with application configurations in a way that triggers their code to run later.

What is the Impact of CVE-2020-8131?

Successful exploitation may allow attackers to execute arbitrary code with the privileges of the Yarn user, gain persistent access to the system, tamper with critical system files, or achieve full system compromise.

What is the Exploitability of CVE-2020-8131?

Exploitation requires user interaction: the attacker must convince a user to install a specially crafted malicious package via Yarn. The complexity is moderate, involving the creation of the malicious package and a social engineering component. Authentication requirements are minimal, as the vulnerability affects the package installation process itself, which is often performed by authenticated users. Privilege requirements are those of the user running Yarn; if Yarn is run with elevated privileges (e.g., 'sudo'), the impact is significantly higher. This is primarily a local exploit in the sense that the malicious write occurs on the user's system, but the package can be distributed remotely. The risk of exploitation is significantly increased if users regularly install packages from untrusted sources or if the package registry itself is compromised.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-8131?

Available Upgrade Options

  • yarn
    • <1.22.0 → Upgrade to 1.22.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-8131?

Similar Vulnerabilities: CVE-2019-1000001 , CVE-2018-15688 , CVE-2018-1000613 , CVE-2017-16003 , CVE-2015-7585

All Rights reserved 2025
Privacy Policy