CVE-2020-8131
Description
Arbitrary filesystem write in Yarn before 1.22.0 allows attackers to write to any path via malicious package installation, potentially leading to arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arbitrary filesystem write in Yarn before 1.22.0 allows attackers to write to any path via malicious package installation, potentially leading to arbitrary code execution.
Vulnerability
Overview CVE-2020-8131 is an arbitrary filesystem write vulnerability in Yarn package manager versions prior to 1.22.0. The issue lies in the package fetch process, where insufficient path validation allows a crafted package to write files to arbitrary locations on the filesystem [1]. This can be exploited by tricking a user into installing a malicious package.
Exploitation
An attacker can craft a package that, when installed, writes files to any path the Yarn process can access. No additional privileges are required beyond the user's permission to write to the targeted location. The attack is triggered when the user runs yarn install on a project that includes the malicious package [2].
Impact
Successful exploitation can lead to overwriting critical system files, user configuration files, or application binaries, potentially enabling arbitrary code execution or full system compromise [1].
Mitigation
The vulnerability is fixed in Yarn version 1.22.0. Users are advised to upgrade to this version or later. Additionally, exercising caution when installing packages from untrusted sources can reduce risk [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yarnnpm | < 1.22.0 | 1.22.0 |
Affected products
2- Yarn/Yarndescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8mfc-v7wv-p62gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8131ghsaADVISORY
- github.com/yarnpkg/yarn/pull/7831ghsax_refsource_CONFIRMWEB
- hackerone.com/reports/730239ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.