Code Execution Vulnerability in pnpm Package Manager by PNPM
CVE-2024-53866

5.8MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 10 December 2024

What is CVE-2024-53866?

The pnpm package manager, prior to version 9.15.0, exhibits a critical flaw with its handling of workspace overrides and the global cache. This vulnerability allows overrides from one workspace to leak into the npm metadata stored in the global cache, leading to a situation where npm metadata can inadvertently affect other workspaces. Furthermore, the default behavior of installations does not revalidate data, which includes the first lockfile generation process. This breakdown of expected security protocols results in the potential for workspace A to compromise the global cache, inadvertently allowing malicious code to execute in workspace B, even when the ignore-scripts flag is set. This unintended execution undermines user trust in the package manager's ability to maintain the integrity and security of code installations. Users are urged to upgrade to version 9.15.0 or implement separate cache and store directories in each workspace as a temporary solution.

Affected Version(s)

pnpm < 9.15.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-vm3...

x_refsource_CONFIRM

https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a...

x_refsource_MISC

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2024

CVE-2024-53866 Data

JSON

Pnpm

What is CVE-2024-53866?

Affected Version(s)

References

CVSS V4

Timeline