Published: 01/08/2023 Updated: 04/08/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pnpm pnpm

CVE-2023-37478 showcases how a difference in npm and pnpm install packages that could be exploited by a well crafted tar.gz packge. This repo shows a demo.

pnpm vs npm exploit This repo showcases how a difference in npm and pnpminstallation from tarballs can be exploited The exploit is recorded in CVE-2023-37478 The javascript package constructed here claims it prints out a nice message to the user When installed with npm, this is true However, the same package can be installed with pnpm and it will print out a mean message O

CVE-2023-37478-Demo

NVD-CWE-noinfo https://github.com/pnpm/pnpm/releases/tag/v7.33.4 https://github.com/pnpm/pnpm/releases/tag/v8.6.8 https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7 https://nvd.nist.gov https://github.com/TrevorGKann/CVE-2023-37478_npm_vs_pnpm

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-37478

Vulnerability Summary

Github Repositories

References

Vulmon Search

About

Products

Connect