CVE-2023-37478 in pnpm
Summary
by MITRE • 08/01/2023
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/24/2023
The vulnerability identified as CVE-2023-37478 represents a critical discrepancy in how different package managers handle tarball extraction, specifically exposing a security gap in pnpm's archive parsing mechanism. This issue arises from fundamental differences in how pnpm processes tar archives compared to npm's approach, creating an attack surface where malicious actors can craft tarballs that appear benign when processed by npm or the npm registry but execute harmful code when processed by pnpm. The vulnerability stems from pnpm's more permissive handling of tar archive structures, particularly around symbolic link resolution and directory traversal mechanisms that are not properly validated during the extraction process.
The technical flaw manifests in pnpm's tarball parsing logic where it fails to adequately sanitize or validate the contents of tar archives before extraction. When a malicious tarball is constructed with specific symbolic link patterns or directory structures, pnpm's parser may interpret these incorrectly, leading to arbitrary file overwrite or execution scenarios. This behavior is particularly concerning because it creates a scenario where a package that passes registry validation and npm installation remains safe, yet becomes compromised when installed through pnpm. The vulnerability operates at the intersection of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-427 (Uncontrolled Search Path Element), as pnpm's extraction process does not properly constrain the paths that can be written to during archive extraction.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise potential. Attackers can exploit this by creating malicious packages that appear legitimate in registry listings and function normally when installed via npm, but when installed through pnpm, they can overwrite critical system files, inject malicious code into installed packages, or establish persistence mechanisms. This creates a dangerous scenario where developers might unknowingly install compromised packages, particularly in environments where pnpm is the preferred package manager. The vulnerability affects both pnpm versions 7.x and 8.x, with patches released in versions 7.33.4 and 8.6.8 respectively, addressing the core parsing logic that allowed improper path resolution during tarball extraction.
Organizations and developers should immediately update to the patched versions of pnpm to mitigate this risk, while also implementing monitoring for unusual package installation patterns that might indicate exploitation attempts. The vulnerability highlights the importance of consistent security practices across different package managers and underscores the need for comprehensive testing of package installation processes across multiple environments. Security teams should consider implementing package integrity checks and monitoring for unexpected file modifications during package installation, particularly in environments where multiple package managers are used. The issue also demonstrates the broader challenge of maintaining security consistency across different tools in the software supply chain ecosystem, where discrepancies between implementations can create exploitable gaps that attackers can leverage to bypass security controls.