CVE-2023-37478
Supply Chain Attack vulnerability in pnpm (npm)

Supply Chain Attack Proof of concept

What is CVE-2023-37478 About?

This vulnerability affects pnpm's tarball extraction mechanism, allowing a maliciously crafted tarball to produce a different result when installed via pnpm compared to npm for the same package. This difference can lead to the installation of compromised or malicious package versions, enabling supply chain attacks. Exploitation relies on specific tar archive formatting and pnpm's handling of duplicate files.

Affected Software

  • pnpm
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/exe
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/linux-arm64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/linux-x64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/linuxstatic-arm64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/macos-arm64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/macos-x64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/win-x64
    • >8.0.0, <8.6.8
    • <7.33.4
  • @pnpm/cafs
    • <7.0.5

Technical Details

The TAR archive format is append-only, meaning updates to a file are handled by adding a new record. When extracting, the last record for a given filename typically 'wins'. However, pnpm, when extracting via tar-stream, incorrectly extracts only the first file of a given name and discards subsequent duplicates. This behavior, coupled with the ability to define multiple root folders in a tarball (e.g., a/package.json, package/package.json, z/package.json), allows an attacker to control which package.json file is parsed based on the order of files in the tarball. An attacker can craft a tarball where a benign package.json (the latest in the archive) is seen by npm, but an earlier, malicious package.json is seen and used by pnpm, leading to the installation of different dependencies (e.g., react@15 instead of react@17).

What is the Impact of CVE-2023-37478?

Successful exploitation may allow attackers to replace legitimate packages with compromised or malicious versions, leading to supply chain compromise, arbitrary code execution, or data theft.

What is the Exploitability of CVE-2023-37478?

Exploitation of this vulnerability requires an attacker to control the creation of a tarball and its contents, specifically the ordering of duplicate files within the archive. The complexity is moderate, requiring an understanding of the TAR format and pnpm's specific parsing behavior. No authentication is required for an attacker to create and publish such a malicious tarball to a registry, nor for a user to install it. This is a remote exploitation scenario, where the attacker delivers the malicious package. The primary prerequisite is that the victim uses pnpm to install the crafted tarball. No special privileges are needed on the victim's system, but the impact is significant if a malicious package is installed in place of a trusted one. The risk factors include reliance on pnpm for package installation and trust in package sources that may distribute such crafted archives.

What are the Known Public Exploits?

PoC Author Link Commentary
li-minhao Link PoC for CVE-2023-37478
TrevorGKann Link CVE-2023-37478 showcases how a difference in npm and pnpm install packages that could be exploited by a well crafted tar.gz packge. This repo shows a demo.

What are the Available Fixes for CVE-2023-37478?

Available Upgrade Options

  • @pnpm/cafs
    • <7.0.5 → Upgrade to 7.0.5
  • @pnpm/macos-arm64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/macos-arm64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/win-x64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/win-x64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • pnpm
    • <7.33.4 → Upgrade to 7.33.4
  • pnpm
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/linux-arm64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/linux-arm64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/linuxstatic-arm64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/linuxstatic-arm64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/macos-x64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/macos-x64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/exe
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/exe
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8
  • @pnpm/linux-x64
    • <7.33.4 → Upgrade to 7.33.4
  • @pnpm/linux-x64
    • >8.0.0, <8.6.8 → Upgrade to 8.6.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-37478?

Similar Vulnerabilities: CVE-2024-53866 , CVE-2022-29367 , CVE-2023-50953 , CVE-2023-50951 , CVE-2023-50952

All Rights reserved 2025
Privacy Policy