Skip to main content

yeoman-environment CVE-2026-42089

| EUVDEUVD-2026-37131 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-05-26 https://github.com/yeoman/environment GHSA-vv9j-gjw2-j8wp
8.6
CVSS 3.1 · Vendor: https://github.com/yeoman/environment
Share

Severity by source

Vendor (https://github.com/yeoman/environment) PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (https://github.com/yeoman/environment).

CVSS VectorVendor: https://github.com/yeoman/environment

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 26, 2026 - 23:45 vuln.today
Analysis Generated
May 26, 2026 - 23:45 vuln.today

DescriptionCVE.org

Impact

yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.

The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user.

Patches

Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753).

Workarounds

None.

Resources

AnalysisAI

Arbitrary package installation leading to code execution affects the yeoman-environment npm library (the runtime behind the Yeoman/yo scaffolding CLI) in versions >= 2.9.0 and < 6.0.1. The vulnerable installLocalGenerators() method silently calls repository.install() on caller-supplied package names without any user confirmation, so a downstream CLI that passes attacker-controlled project configuration into this path will install and execute attacker-chosen packages during bootstrap. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; CVSS is 8.6 (high) but exploitation is contingent on how consumers feed configuration into the library.

Technical ContextAI

yeoman-environment is the core npm package that loads, resolves and runs Yeoman generators for CLI scaffolding tools. When a referenced local generator is missing, the installLocalGenerators() method in src/environment-full.ts resolves the package specs and invokes repository.install() (an npm-style package install) directly. The root cause maps to CWE-829 (Inclusion of Functionality from an Untrusted Control Sphere): the package name to be fetched and installed originates from caller-supplied/project configuration rather than a trusted source, and npm package installation can run lifecycle scripts (preinstall/postinstall), which is the mechanism that turns silent installation into code execution. The affected component is identified by CPE/PURL pkg:npm/yeoman-environment. The fix (commit 78d2af7, PR #753, released in 6.0.1) inserts an interactive confirm prompt that defaults to false and throws if declined, with an explicit forceInstall opt-out.

RemediationAI

Vendor-released patch: 6.0.1 - upgrade yeoman-environment to 6.0.1 or later, which adds an interactive confirmation prompt (defaulting to decline) before installing local generators (PR #753, fix commit https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa; advisory https://github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp). The vendor states there are no workarounds, so upgrading is the only sanctioned remediation. If you cannot upgrade immediately, practical compensating controls include: avoid feeding untrusted or attacker-controlled project configuration into Yeoman-based CLIs (the precondition for abuse); run scaffolding tools only against trusted repositories; execute CLI bootstrap inside a sandbox or container with no sensitive credentials; and set npm to refuse lifecycle scripts (for example npm config set ignore-scripts true or installing with --ignore-scripts), accepting the trade-off that legitimate packages relying on install scripts may then fail and require manual setup. These controls reduce but do not fully eliminate the silent-install behavior, which is why upgrading to 6.0.1 is preferred.

Vendor StatusVendor

Share

CVE-2026-42089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy