Yarn: untrusted search path
Description
Untrusted search path vulnerability in Yarn 1.x allows attackers to execute malicious commands via attacker-controlled directories.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Untrusted search path vulnerability in Yarn 1.x allows attackers to execute malicious commands via attacker-controlled directories.
CVE-2021-4435 is an untrusted search path vulnerability in Yarn, a popular JavaScript package manager. When a victim runs certain Yarn commands in a directory containing attacker-controlled content, the application may inadvertently execute malicious commands due to improper handling of search paths [1][2]. The root cause lies in how Yarn resolves executable paths, allowing an attacker to place a malicious binary in a location that Yarn searches before the intended system path.
To exploit this vulnerability, an attacker must first convince a victim to navigate into a directory they control, such as a repository or project folder. The attacker then places a malicious executable or script in a location within that directory (e.g., a node_modules/.bin folder or similar). When the victim runs Yarn commands like yarn install or yarn run, Yarn may execute the malicious file instead of the intended binary, enabling arbitrary code execution [1][2]. No special privileges are required on the part of the attacker beyond file write access to the target directory.
Successful exploitation allows the attacker to execute arbitrary commands in the context of the victim user. This could lead to data exfiltration, installation of backdoors, or further compromise of the system. The vulnerability is limited to Yarn 1.x (the 1.22 line and earlier); later versions (Yarn 2/3/4, known as Berry) are not affected [3].
Red Hat has acknowledged the vulnerability and recommended updating to a patched version. The Yarn project released version 1.22.13 to address this issue [4]. Users running Yarn 1.x should upgrade to at least 1.22.13. For those on Yarn 1.x, migrating to the Berry line is strongly advised to avoid similar issues in the future [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yarnnpm | < 1.22.13 | 1.22.13 |
Affected products
3- Fedora/Extra Packages for Enterprise Linuxv5
- Fedora/Fedorav5
Patches
167fcce88935ePrevents the cwd from being a valid resolution for exec
1 file changed · +22 −0
src/util/child.js+22 −0 modified@@ -7,6 +7,8 @@ import {ProcessSpawnError, ProcessTermError} from '../errors.js'; import {promisify} from './promise.js'; const child = require('child_process'); +const fs = require('fs'); +const path = require('path'); export const queue = new BlockingQueue('child', constants.CHILD_CONCURRENCY); @@ -15,7 +17,24 @@ let uid = 0; export const exec = promisify(child.exec); +function validate(program: string, opts?: Object = {}) { + if (program.includes('/')) { + return true; + } + + const cwd = opts.cwd || process.cwd(); + const pathext = process.env.PATHEXT || ''; + + for (const ext of pathext.split(';')) { + const candidate = path.join(cwd, `${program}${ext}`); + if (fs.existsSync(candidate)) { + throw new Error(`Potentially dangerous call to "${program}" in ${cwd}`); + } + } +} + export function forkp(program: string, args: Array<string>, opts?: Object): Promise<number> { + validate(program, opts); const key = String(++uid); return new Promise((resolve, reject) => { const proc = child.fork(program, args, opts); @@ -32,6 +51,7 @@ export function forkp(program: string, args: Array<string>, opts?: Object): Prom } export function spawnp(program: string, args: Array<string>, opts?: Object): Promise<number> { + validate(program, opts); const key = String(++uid); return new Promise((resolve, reject) => { const proc = child.spawn(program, args, opts); @@ -73,6 +93,8 @@ export function spawn( key, (): Promise<string> => new Promise((resolve, reject) => { + validate(program, opts); + const proc = child.spawn(program, args, opts); spawnedProcesses[key] = proc;
Vulnerability mechanics
Root cause
"Yarn incorrectly resolved and executed programs from the current working directory, leading to an untrusted search path vulnerability."
Attack vector
An attacker can place a malicious executable in a directory and trick a victim into running Yarn commands from that same directory. When Yarn attempts to execute a program, it may inadvertently resolve and run the attacker-controlled file instead of the intended system utility. This untrusted search path vulnerability allows for arbitrary command execution [patch_id=26066].
Affected code
The vulnerability exists in `src/util/child.js` within the `forkp`, `spawnp`, and `spawn` functions. These functions are responsible for executing external processes but failed to properly validate the program path against the current working directory [patch_id=26066].
What the fix does
The patch introduces a `validate` function in `src/util/child.js` that checks if a program exists in the current working directory before execution [patch_id=26066]. If the program is found in the `cwd` and does not contain a path separator, the function throws an error to prevent execution. This ensures that Yarn does not prioritize potentially malicious files located in the local directory over system-provided binaries [patch_id=26066].
Preconditions
- inputThe victim must execute Yarn commands within a directory containing an attacker-controlled executable.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mpwj-fcr6-x34cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4435ghsaADVISORY
- access.redhat.com/security/cve/CVE-2021-4435ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1ghsaWEB
- github.com/yarnpkg/yarn/releases/tag/v1.22.13ghsaWEB
News mentions
0No linked articles in our index yet.