CVE-2019-10773: Improper Link Resolution Before File Access

December 16, 2019 (updated December 27, 2019)

In Yarn, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted “bin” keys. Existing files could be overwritten depending on the current user permission set.

References

nvd.nist.gov/vuln/detail/CVE-2019-10773

Code Behaviors & Features

Detect and mitigate CVE-2019-10773 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →