The yeoman-environment utility is vulnerable to arbitrary package installation and code execution via unauthenticated, attacker-supplied project configurations.

The installLocalGenerators() method fails to perform user confirmation when installing missing local generator packages. This allows an attacker to trigger arbitrary code execution during CLI bootstrap if a consumer utilizes attacker-controlled project configuration.

With a CVSS score of 8.6, this flaw poses a severe risk of system compromise. An attacker who can influence project configurations can achieve arbitrary code execution on the developer's machine or build environment. This risk is compounded by the lack of user interaction or confirmation required to install the malicious packages, effectively bypassing standard security expectations.

Immediate Action: Update yeoman-environment to version 6.0.1 or later immediately.

Proactive Monitoring: Audit project configuration files and CLI bootstrap processes for unauthorized dependencies or anomalous installation activity.

Compensating Controls: Restrict the execution of Yeoman CLI tools to isolated, ephemeral build environments where potential code execution risks are contained.

Public Exploit Available: false

This vulnerability represents a significant supply-chain risk for development environments. Organizations should update the affected package immediately and review downstream project configurations to ensure that they are not accepting arbitrary inputs from untrusted sources.