CVE-2019-5448

HIGH8.1EPSS 0.11%

Missing Encryption of Sensitive Data in yarn

Published: 7/31/2019Modified: 4/28/2026

Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Affected packages (2)

Debian/node-yarnpkgfrom 0, < 1.13.0-3
npm/yarnfrom 0, < 1.17.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-5448
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-5448
WEBhttps://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
WEBhttps://hackerone.com/reports/640904
WEBhttps://yarnpkg.com/blog/2019/07/12/recommended-security-update