ghsa-vm32-9rqf-rh3r
Vulnerability from github
Published
2024-12-10 22:42
Modified
2024-12-10 22:42
Severity ?
5.8 (Medium) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Summary
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Details

Summary

pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. npm metadata from global cache affects other workspaces 3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

Details

See PoC.

In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache

PoC

Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log

  1. Remove store and cache On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store This step is not required in general, but we'll be using a popular package for PoC that's likely cached
  2. Create A/package.json: json { "name": "A", "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } }, "dependencies": { "rimraf": "6.0.1" } } Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)
  3. Create B/package.json: json { "name": "B", "dependencies": { "rimraf": "6.0.1" } } Install it with pnpm i

Result: ```console Packages: +3 +++ Progress: resolved 3, reused 3, downloaded 0, added 3, done node_modules/.pnpm/ponyhooves@1.0.1/node_modules/ponyhooves: Running postinstall script, done in 51ms

dependencies: + rimraf 6.0.1

Done in 1.4s ```

Also, that code got leaked into another project and it's lockfile now!

Impact

Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs

As a work-around, use separate cache and store dirs in each workspace

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-10T22:42:41Z",
    "nvd_published_at": "2024-12-10T18:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\npnpm seems to mishandle overrides and global cache:\n1. Overrides from one workspace leak into npm metadata saved in global cache\n2. npm metadata from global cache affects other workspaces\n3. installs by default don\u0027t revalidate the data (including on first lockfile generation)\n\nThis can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B\n\nUsers generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).\n\nHere, that expectation is broken\n\n### Details\n\nSee PoC.\n\nIn it, overrides from a single run of A get leaked into e.g. `~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json` and persistently affect all other projects using the cache\n\n### PoC\n\nPostinstall code used in PoC is benign and can be inspected in \u003chttps://www.npmjs.com/package/ponyhooves?activeTab=code\u003e, it\u0027s just a `console.log`\n\n1. Remove store and cache\n   On mac: `rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store`\n   This step is not required in general, but we\u0027ll be using a popular package for PoC that\u0027s likely cached\n2. Create `A/package.json`:\n   ```json\n   {\n     \"name\": \"A\",\n     \"pnpm\": { \"overrides\": { \"rimraf\u003eglob\": \"npm:ponyhooves@1\" } },\n     \"dependencies\": { \"rimraf\": \"6.0.1\" }\n   }\n   ```\n   Install it with `pnpm i --ignore-scripts` (the flag is not required, but the point of the demo is to show that it doesn\u0027t help)\n4. Create `B/package.json`:\n   ```json\n   {\n     \"name\": \"B\",\n     \"dependencies\": { \"rimraf\": \"6.0.1\" }\n   }\n   ```\n   Install it with `pnpm i`\n\nResult:\n```console\nPackages: +3\n+++\nProgress: resolved 3, reused 3, downloaded 0, added 3, done\nnode_modules/.pnpm/ponyhooves@1.0.1/node_modules/ponyhooves: Running postinstall script, done in 51ms\n\ndependencies:\n+ rimraf 6.0.1\n\nDone in 1.4s\n```\n\nAlso, that code got leaked into another project and it\u0027s lockfile now! \n\n### Impact\n\nGlobal state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs\n\nAs a work-around, use separate cache and store dirs in each workspace\n",
  "id": "GHSA-vm32-9rqf-rh3r",
  "modified": "2024-12-10T22:42:41Z",
  "published": "2024-12-10T22:42:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53866"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.