CVE-2024-53866

Exploit

EPSS 1%
Veröffentlicht 10.12.2024 18:15:42
Zuletzt bearbeitet 22.09.2025 18:03:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pnpm ≫ Pnpm HwPlatformnode.js Version < 9.15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1%	0.766

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.8	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-426 Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743

Patch

https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-53866

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-53866

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-53866

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-53866