CVE-2021-4435
Untrusted Search Path vulnerability in yarn (npm)
What is CVE-2021-4435 About?
This vulnerability in Yarn involves an untrusted search path flaw, where running certain Yarn commands in a directory with attacker-controlled content can lead to the execution of malicious commands. This poses a significant risk for arbitrary code execution. Exploitation relies on a victim executing Yarn commands in a compromised environment.
Affected Software
Technical Details
The vulnerability in Yarn is an untrusted search path issue. This occurs when Yarn, while executing certain commands, searches and loads executables or scripts from a path that includes attacker-controlled directories or files. Specifically, if a user runs a Yarn command (e.g., yarn install, yarn test) in a project directory that has been compromised, or contains maliciously crafted files, Yarn might prioritize and execute these malicious files instead of legitimate system binaries or project scripts. This mechanism allows for arbitrary code execution by subverting the expected command execution flow.
What is the Impact of CVE-2021-4435?
Successful exploitation may allow attackers to execute arbitrary commands, leading to remote code execution, system compromise, data theft, or planting of malware.
What is the Exploitability of CVE-2021-4435?
Exploitation of this vulnerability requires local access or the ability to place attacker-controlled content within a directory where a victim is likely to execute Yarn commands. The complexity is moderate, as it relies on a specific sequence of actions by the victim (running particular Yarn commands in a compromised directory). No authentication or special privileges are needed for the execution itself once the malicious content is in place. The attack is primarily local to the victim's machine. Risk factors include developers downloading untrusted packages or cloning repositories containing malicious files, or working in shared development environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-4435?
Available Upgrade Options
- yarn
- <1.22.13 → Upgrade to 1.22.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1
- https://bugzilla.redhat.com/show_bug.cgi?id=2262284
- https://access.redhat.com/security/cve/CVE-2021-4435
- https://github.com/yarnpkg/yarn
- https://osv.dev/vulnerability/GHSA-mpwj-fcr6-x34c
- https://bugzilla.redhat.com/show_bug.cgi?id=2262284
- https://nvd.nist.gov/vuln/detail/CVE-2021-4435
- https://github.com/yarnpkg/yarn/releases/tag/v1.22.13
- https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1
- https://access.redhat.com/security/cve/CVE-2021-4435
What are Similar Vulnerabilities to CVE-2021-4435?
Similar Vulnerabilities: CVE-2023-39744 , CVE-2023-39743 , CVE-2023-39148 , CVE-2023-37920 , CVE-2023-37919
