CVE-2021-4435: 
JavaScript vulnerability analysis and mitigation

An untrusted search path vulnerability (CVE-2021-4435) was discovered in Yarn package manager. The vulnerability affects versions up to (excluding) 1.22.13. When users run certain Yarn commands in a directory containing attacker-controlled content, malicious commands could be executed in unexpected ways (NVD, Red Hat).

The vulnerability is classified as an Untrusted Search Path issue (CWE-426). It received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires local access and user interaction but no privileges, while potentially affecting the confidentiality, integrity, and availability of the system (NVD).

If exploited, this vulnerability could allow an attacker to execute malicious commands in unexpected ways when a victim runs certain Yarn commands in a compromised directory. This could lead to arbitrary code execution with the privileges of the user running the Yarn command (NVD).

The vulnerability has been fixed in Yarn version 1.22.13. Users are advised to upgrade to this version or later to mitigate the risk. The fix prevents the current working directory from being a valid resolution for exec commands (Yarn Commit, Yarn Release).