CVE-2024-53866

MEDIUM EPSS 56.5%
Published Dec 10, 20241y ago · Modified Jun 17, 20261w ago
5.8 CVSS 4.0
Medium
Find Similar
Published Dec 10, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.

CVSS Details

Base Score
5.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
56.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-426

Affected Products 1

VendorProductVersionRange
pnpmpnpm* <9.15.0

References 2

  • github.com https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
    Patch
  • github.com https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
    Patch