CVE-2019-15608
Description
yarn <1.19.0 has a TOCTOU vulnerability in package integrity validation, leading to cache pollution attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
yarn <1.19.0 has a TOCTOU vulnerability in package integrity validation, leading to cache pollution attacks.
Root
Cause
CVE-2019-15608 is a time-of-check time-of-use (TOCTOU) vulnerability in the yarn package manager prior to version 1.19.0. During package installation, the integrity hash of a package is computed only before writing it to the cache. When the same package is later fetched from the cache, the existing cached hash is used without re-verifying the cached package data against the expected integrity value. This oversight allows an attacker to alter a cached package after its initial validation, and subsequent installations would serve the tampered package without detection [1][2].
Attack
Vector
The attack requires an attacker to have write access to the yarn cache directory on the target filesystem. This could be achieved through local access or via a secondary vulnerability that enables cache modification. No network-level manipulation is needed; the attacker modifies the cached tarball after the integrity check but before it is read again. The vulnerability is present in all yarn versions before 1.19.0 [1][2].
Impact
Successful exploitation lets an attacker replace a legitimate cached package with a malicious one. Any user who subsequently installs or updates that package will receive the attacker's version, potentially executing arbitrary code in the context of the package installation or at runtime. This can lead to supply-chain compromises affecting multiple projects [2].
Mitigation
The vulnerability was fixed in yarn version 1.19.0. The fix adds an integrity re-verification step when reading from the cache, ensuring that the cached content matches the expected hash before it is used. The commit 0474b8c demonstrates the change: fetchCache now accepts an integrity parameter and throws an error if the stored integrity does not match the expected value [3]. Users should upgrade to yarn >=1.19.0 immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yarnnpm | < 1.19.0 | 1.19.0 |
Affected products
2- yarn/yarndescription
Patches
10474b8c66a8ePrevents loading the cache if the stored integrity doesnt match
1 file changed · +12 −3
src/package-fetcher.js+12 −3 modified@@ -9,8 +9,17 @@ import * as fetchers from './fetchers/index.js'; import * as fs from './util/fs.js'; import * as promise from './util/promise.js'; -async function fetchCache(dest: string, fetcher: Fetchers, config: Config): Promise<FetchedMetadata> { - const {hash, package: pkg} = await config.readPackageMetadata(dest); +const ssri = require('ssri'); + +async function fetchCache(dest: string, fetcher: Fetchers, config: Config, integrity: ?string): Promise<FetchedMetadata> { + const {hash, package: pkg, remote} = await config.readPackageMetadata(dest); + + if (integrity) { + if (!remote.integrity || !ssri.parse(integrity).match(remote.integrity)) { + throw new MessageError('Incorrect integrity when fetching from the cache'); + } + } + await fetcher.setupMirrorFromCache(); return { package: pkg, @@ -40,7 +49,7 @@ export async function fetchOneRemote( const fetcher = new Fetcher(dest, remote, config); if (await config.isValidModuleDest(dest)) { - return fetchCache(dest, fetcher, config); + return fetchCache(dest, fetcher, config, remote.integrity); } // remove as the module may be invalid
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hjxc-462x-x77jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15608ghsaADVISORY
- github.com/yarnpkg/yarn/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1cghsax_refsource_MISCWEB
- hackerone.com/reports/703138ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.