Requires yarn 3. npm install -g yarn
then yarn set version berry
to set your
version to yarn 3.
This repository demonstrates a bug in yarn 3.1.0 and earlier, where npm security advisories are incorrectly reported. There are two relevant branches:
vulnerability-reported
: This branch has an old version of lodash installed, which is affected by this security advisory.yarn npm audit
correctly reports this vulnerability.vulnerability-not-reported-version-overridden
: This branch also has the same old, vulnerable version of lodash installed. It also has the most recent version ofhtml-webpack-plugin
installed as a dev dependency, which itself installs a more recent version of lodash that is not vulnerable to this command injection vulnerability. While the proof-of-concept exploit still works,yarn npm audit
does not report this vulnerability, likely due to the more recent version of lodash also being installed.
- Run
yarn install
- Run
yarn node index.js
to demonstrate the command injection vulnerability in the installed version of lodash. The PoC dumps out the contents ofprocess.env
by way of a command injection vulnerability in an old version of lodash.
On the vulnerability-reported
branch, running a security audit will return the
following vulnerability:
$ yarn npm audit
└─ lodash: 4.17.20
├─ Issue: Command Injection in lodash
├─ URL: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
├─ Severity: high
├─ Vulnerable Versions: <4.17.21
├─ Patched Versions: >=4.17.21
├─ Via: lodash
└─ Recommendation: Upgrade to version 4.17.21 or later
On the vulnerability-not-reported-version-overridden
branch, running a
security audit will return no vulnerabilities, but the PoC described above will
still execute:
$ yarn npm audit
➤ YN0001: No audit suggestions