CVE-2022-26183
Untrusted Search Path vulnerability in pnpm (npm)
What is CVE-2022-26183 About?
This vulnerability in PNPM on Windows allows an untrusted search path, causing the application to execute malicious content found in the current working directory. This can lead to arbitrary code execution if a user executes PNPM commands in a compromised directory. Exploitation is relatively straightforward, requiring only that a user inadvertently runs a PNPM command in a directory containing crafted malicious files.
Affected Software
Technical Details
The vulnerability exists in PNPM versions prior to v6.15.1 when run on Windows operating systems. It is categorized as an untrusted search path vulnerability. This means that when a user executes a PNPM command (e.g., install, run) within a directory, the application searches for executables or scripts in that current directory before or alongside trusted system paths. If a malicious attacker places specially crafted executables or script files with the same names as legitimate system commands or internal PNPM utilities into a directory, and a user then runs PNPM commands from that compromised directory, the malicious files will be executed instead of the intended programs. This leads to arbitrary code execution within the context of the user running PNPM.
What is the Impact of CVE-2022-26183?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the compromised user account, leading to system compromise, data theft, or further malicious activity.
What is the Exploitability of CVE-2022-26183?
Exploitation of this vulnerability is of moderate complexity. It requires local access to a system where a user will operate PNPM, or the ability to convince a user to navigate to and execute PNPM commands from a directory controlled by the attacker. No specific authentication or high privileges are needed; the malicious code will execute with the privileges of the user running PNPM. The attack is local in nature, meaning the attacker must pre-place malicious files in a specific directory. Prerequisites include the target system being a Windows OS and a PNPM version prior to v6.15.1. The risk of exploitation is significantly increased if users frequently work with untrusted project directories or if an attacker can trick users into downloading and extracting a malicious project archive.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-26183?
Available Upgrade Options
- pnpm
- <6.15.1 → Upgrade to 6.15.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pnpm/pnpm/releases/tag/v6.15.1
- https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
- https://github.com/pnpm/pnpm/releases/tag/v6.15.1
- https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb
- https://osv.dev/vulnerability/GHSA-9m87-6fj3-c5xh
- https://nvd.nist.gov/vuln/detail/CVE-2022-26183
- https://github.com/pnpm/pnpm
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers
What are Similar Vulnerabilities to CVE-2022-26183?
Similar Vulnerabilities: CVE-2019-13050 , CVE-2021-39686 , CVE-2017-5095 , CVE-2020-0010 , CVE-2021-34483
