Description

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.

INFO

Published Date :

2024-12-10T17:12:44.629Z

Last Modified :

2025-12-31T01:11:35.531Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-53866 vulnerability.

Vendors Products
Pnpm
  • Pnpm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-53866.

URL Resource
https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743 cve-icon cve-icon
https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact