An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
Credits
Red Hat would like to thank Paul Gerste (Sonar) for reporting this issue.
