MGASA-2025-0194

Advisory lineage Upstream: 11 Downstream: 0
Published: 25 Jun 2025, 05:31
Last modified:16 Apr 2026, 04:20

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

25 Jun 2025, 05:31
Published
Vulnerability first disclosed
16 Apr 2026, 04:20
Last Modified
Vulnerability information updated

Description

Updated yarnpkg packages fix security vulnerabilities CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in the yarn's bundled nodejs components are fixed too, see the references.

Affected Systems

  • mageiayarnpkg

    < 1.22.22-0.10.9.2.1.mga9

References (4)