CVE-2024-53866
Supply Chain Attack vulnerability in pnpm (npm)
What is CVE-2024-53866 About?
pnpm mishandles overrides and its global cache, allowing overrides from one workspace to leak into and persist in the global cache, affecting other workspaces. This can lead to arbitrary code execution during subsequent installs, even with `ignore-scripts=true`. Exploitation involves a malicious override polluting the cache and subsequently affecting other projects that use that cache.
Affected Software
Technical Details
The vulnerability stems from pnpm's global cache management and override application. When a workspace (e.g., Workspace A) is installed with specific dependency overrides (e.g., rimraf>glob to npm:ponyhooves@1), these override definitions are not confined to Workspace A. Instead, they are incorrectly written into the global pnpm metadata cache (e.g., ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json). Subsequently, when a different workspace (e.g., Workspace B) attempts to install rimraf (a dependency of rimraf), it consults this polluted global cache. Because the cache now contains the malicious override, Workspace B will unknowingly install the ponyhooves package instead of the legitimate glob dependency of rimraf, even if Workspace B itself does not define any overrides or uses ignore-scripts=true. If ponyhooves contains a malicious postinstall script, this script will execute during Workspace B's installation, leading to arbitrary code execution.
What is the Impact of CVE-2024-53866?
Successful exploitation may allow attackers to achieve arbitrary code execution via compromised dependencies, lead to supply chain integrity loss, or install unwanted software.
What is the Exploitability of CVE-2024-53866?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to first introduce a pnpm workspace with malicious overrides into a user's environment, either directly or through a compromised repository. This initial step can occur even if ignore-scripts=true is used for the first installation. Once the global cache is polluted, any subsequent pnpm installation in any other workspace on the same system, which relies on the affected cached package, can trigger the arbitrary code execution. No specific authentication is required at the point of the secondary exploitation, as it leverages the already compromised global cache. The exploitation is typically local, but the initial cache pollution can arise from remote sources. The prerequisite is the shared use of a pnpm global package cache. This vulnerability bypasses ignore-scripts expectation, significantly increasing the risk of unexpected code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53866?
Available Upgrade Options
- pnpm
- <9.15.0 → Upgrade to 9.15.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
- https://osv.dev/vulnerability/GHSA-vm32-9rqf-rh3r
- https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
- https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
- https://github.com/pnpm/pnpm
- https://nvd.nist.gov/vuln/detail/CVE-2024-53866
- https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
What are Similar Vulnerabilities to CVE-2024-53866?
Similar Vulnerabilities: CVE-2023-37478 , CVE-2022-29367 , CVE-2023-50953 , CVE-2023-50951 , CVE-2023-50952
