CVE-2024-53866: pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

December 10, 2024

pnpm seems to mishandle overrides and global cache:

Overrides from one workspace leak into npm metadata saved in global cache
npm metadata from global cache affects other workspaces
installs by default don’t revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

References

github.com/advisories/GHSA-vm32-9rqf-rh3r
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743
github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r
nvd.nist.gov/vuln/detail/CVE-2024-53866

Detect and mitigate CVE-2024-53866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →