Описание
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
A flaw was found in pnpm, a package manager. A remote attacker can exploit a path traversal vulnerability by crafting malicious npm packages. This vulnerability allows the attacker to bypass validation by using bin names starting with an "@" symbol, enabling them to create executable shims or symbolic links (symlinks) outside of the designated node_modules/.bin directory. This could lead to arbitrary code execution or privilege escalation on the affected system.
Отчет
This vulnerability is rated Moderate for Red Hat. It affects systems using pnpm where malicious npm packages can exploit a path traversal flaw during bin linking. This allows the creation of executable files or symlinks outside of the node_modules/.bin directory, posing a risk in environments that install untrusted npm packages, such as development or CI/CD pipelines.
Меры по смягчению последствий
To mitigate this issue, ensure that only trusted npm packages are installed when utilizing pnpm. Restrict the use of pnpm for package installation to controlled environments, such as secure CI/CD pipelines, to prevent the introduction of malicious packages. Implement robust package source validation and integrity checks to minimize exposure.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.keycloak-keycloak-parent | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
pnpm is a package manager. Prior to version 10.28.1, a path traversal ...
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Уязвимость менеджера пакетов pnpm, связанная с неверным ограничением имени пути к каталогу, позволяющая нарушителю записывать произвольные файлы
6.5 Medium
CVSS3