Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-53866

Good to know:

icon

Date: December 10, 2024

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with "ignore-scripts=true") posion global cache and execute scripts in workspace B. Users generally expect "ignore-scripts" to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
https://nvd.nist.gov/vuln/detail/CVE-2024-53866
https://github.com/pnpm/pnpm
https://www.mend.io/vulnerability-database/CVE-2024-53866

Severity Score

Weakness Type (CWE)

Origin Validation Error

CWE-346

Untrusted Search Path

CWE-426

Top Fix

icon

Upgrade Version

Upgrade to version pnpm - 9.15.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us