CVE-2019-5448
Description
Yarn before 1.17.3 transmits npm credentials over unencrypted HTTP when lockfile contains http:// registry URLs, enabling MitM credential theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yarn before 1.17.3 transmits npm credentials over unencrypted HTTP when lockfile contains http:// registry URLs, enabling MitM credential theft.
Vulnerability
Yarn versions prior to 1.17.3 are vulnerable to missing encryption of sensitive data because they honor http:// URLs in the lockfile when resolving scoped packages. When a lockfile entry references http://registry.npmjs.org/..., Yarn sends the npm authentication token (_authToken) over an unencrypted HTTP connection [1][2]. This issue originated from a period in 2018 when the npm registry temporarily returned HTTP URLs instead of HTTPS, and lockfiles generated during that time retained the insecure references [3].
Exploitation
An attacker with a man-in-the-middle (MitM) position on the network—such as a malicious proxy, VPN endpoint, or public Wi-Fi—can intercept the plaintext HTTP traffic during a yarn install operation. No additional authentication is required beyond the developer running the command on an affected lockfile. The exploit is straightforward: the attacker simply sniffs the network traffic to capture the npm credentials [1].
Impact
With the stolen npm credentials, an attacker can impersonate the affected account, publish packages (including malicious ones) under that account, unpublish existing packages, or break installs of protected packages. This poses a significant supply-chain risk, as compromised packages could be consumed by the account's organization and the broader ecosystem [1].
Mitigation
The vulnerability is fixed in Yarn 1.17.3, which enforces HTTPS for the three most common registry hostnames: *.yarnpkg.com, *.npmjs.org, and *.npmjs.com. Users are strongly advised to upgrade immediately and to replace any http: references in their lockfiles with https: using a command like sed -i '' 's/http:/https:/g' yarn.lock [3]. No workaround exists for older versions; upgrading is the only complete fix.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yarnnpm | < 1.17.3 | 1.17.3 |
Affected products
2- yarn/yarnv5Range: Fixed in 1.17.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Yarn sends npm authentication tokens over unencrypted HTTP connections when the lockfile contains HTTP-resolved URLs for scoped packages."
Attack vector
An attacker who can perform a man-in-the-middle attack (e.g., on a public Wi-Fi, a malicious proxy, or a VPN) can sniff npm authentication tokens when a developer runs `yarn install` on a project whose `yarn.lock` contains `http://registry.npmjs.org/@...` resolved URLs [ref_id=1]. The lockfile may have been generated during a period in 2018 when the npm registry returned HTTP URLs, or an attacker could manually craft a malicious `yarn.lock` with HTTP URLs [ref_id=1]. No special privileges are required beyond network position; the victim simply runs `yarn install` on the affected lockfile [CWE-319].
Affected code
Yarn versions before 1.17.3 process `resolved` URLs from `yarn.lock` without enforcing HTTPS. When a lockfile entry contains an `http://registry.npmjs.org/` URL (e.g., `resolved "http://registry.npmjs.org/@types/node/-/node-9.4.7.tgz"`), Yarn sends the npm `_authToken` over that unencrypted HTTP connection [ref_id=1]. The vulnerability affects scoped packages (`@`-prefixed) resolved to HTTP URLs in the lockfile [ref_id=1].
What the fix does
Yarn v1.17.3 fixes the issue by ensuring that authentication data is only sent over HTTPS connections. The advisory states the fix was landed in a PR on the same day the vulnerability was reported and released as v1.17.3 [ref_id=1]. The researcher also recommends that users update Yarn, revoke and regenerate npm tokens, audit `yarn.lock` files for HTTP-resolved entries, and enable 2FA on npm accounts [ref_id=1]. No patch diff is included in the bundle, but the remediation is confirmed to be deployed in v1.17.3.
Preconditions
- inputThe project's yarn.lock must contain a resolved URL using http:// (not https://) for a scoped package (e.g., http://registry.npmjs.org/@...).
- networkThe attacker must be in a position to intercept network traffic (MitM) between the victim and the npm registry.
- inputThe victim must run 'yarn install' on the affected lockfile while the attacker is positioned on the network path.
Reproduction
1. Place an npm auth token in `~/.npmrc` (e.g., `//registry.npmjs.org/:_authToken=38bb8d1f-a39b-47d1-a78e-3bf0626ff77e`). 2. Create an empty package with a dependency on `"@babel/core": "^7.5.4"` and run `yarn install`. 3. Replace all `https://registry.yarnpkg.com` URLs in the generated `yarn.lock` with `http://registry.npmjs.org/`. 4. Clear the Yarn cache and `node_modules`: `rm -rf ~/.cache/yarn/ node_modules`. 5. Start a packet sniffer (e.g., Wireshark) with a `tcp dst port 80` filter. 6. Run `yarn install` again. The auth token appears in cleartext in the captured HTTP traffic [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-wqfc-cr59-h64pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5448ghsaADVISORY
- github.com/ChALkeR/notes/blob/master/Yarn-vuln.mdghsax_refsource_MISCWEB
- hackerone.com/reports/640904ghsax_refsource_MISCWEB
- yarnpkg.com/blog/2019/07/12/recommended-security-updateghsaWEB
- yarnpkg.com/blog/2019/07/12/recommended-security-update/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.