CVE-2024-53866: pnpm Package Manager Vulnerability Allows Cross-Workspace Code Execution

A recent vulnerability discovered in the pnpm package manager, assigned CVE-2024-53866, has raised concerns for developers using the software. The issue seems to be related to the way pnpm handles overrides and the global cache before version 9.15.. This post aims to detail the exploit, provide code snippets for those affected, and link to original references to better understand the nature of the problem, its risks, and how to avoid it.

The Vulnerability

The vulnerability lies in the way pnpm versions prior to 9.15. handle overrides and the global cache in workspaces. Overrides from one workspace can leak into the npm metadata stored in the global cache, causing it to affect other workspaces. Additionally, installs by default do not revalidate the data, including on the first lockfile generation.

This can lead to a situation where workspace A, even running with the ignore-scripts=true flag, can poison the global cache and execute scripts in workspace B. Normally, users expect the ignore-scripts flag to prevent immediate code execution upon installation but in this case, that expectation is not met. Consequently, the integrity of the global state is compromised through operations a developer would expect to be secure, thus enabling the running of arbitrary code execution during installations.

The Fix

Version 9.15. of pnpm fixes the issue by properly handling overrides and the global cache. To upgrade to this version, simply run the following command:

npm install -g pnpm@9.15.

Workaround

If, for any reason, upgrading to version 9.15. is not possible, a workaround is to use separate cache and store directories in each workspace, isolating them from one another. This can be achieved by configuring the cache and store directories in the pnpm configuration file, usually found at the root of the workspace:

# pnpm-workspace.yaml
cache-dir = "path/to/cache-directory"
store-dir = "path/to/store-directory"

Make sure to use unique paths for each workspace to prevent leakage and security risks between them.

Original References

1. pnpm GitHub Repository - Release Notes for Version 9.15.
2. pnpm Documentation on Configuring Cache and Store Directories

Conclusion

CVE-2024-53866 is a significant vulnerability in the pnpm package manager that affects versions prior to 9.15., posing a risk for cross-workspace code execution. Users are advised to upgrade to the fixed version or implement the workaround mentioned above, ensuring that the integrity and security of their workspaces are preserved.

It is especially crucial for those who maintain or contribute to open-source projects to be aware of such vulnerabilities and potential exploits, as they may have consequences on a larger scale. As such, please make sure to share this information with your network and fellow developers to increase awareness of the issue and its solutions.

Timeline

Published on: 12/10/2024 18:15:42 UTC