Listen to this Post
How the CVE Works:
The vulnerability is located in the `store/cafs/src/addFilesFromDir.ts` module of pnpm. When installing a local directory (file:) or git dependency, pnpm’s file-copying routine traverses the package directory. It uses `fs.statSync()` and `fs.readFileSync()` to gather and read files. These Node.js functions inherently follow symbolic links. The code does not validate if the final resolved path of a symlink remains within the boundaries of the source package directory. Therefore, a malicious package can contain a symlink pointing to an absolute path outside its root, such as `/etc/passwd` or ~/.ssh/id_rsa. During installation, pnpm will blindly follow this symlink, read the target file’s contents, and write a copy of that sensitive host system file into the project’s `node_modules` directory, leading to local file disclosure.
dailycve form:
Platform: pnpm (Node.js)
Version: <= 8.15.x
Vulnerability : Symlink Arbitrary File Read
Severity: High
date: 2024-xx-xx
Prediction: 2024-10-15
What Undercode Say:
Analytics:
mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked.txt
echo '{"name":"evil","version":"1.0.0"}' > package.json
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil
cat node_modules/evil/leaked.txt
Exploit:
Malicious package creation.
Symlink to host file.
Victim installs dependency.
Sensitive file copied.
Protection from this CVE:
Use `fs.lstatSync()`.
Validate resolved path.
Restrict to package root.
Impact:
Credential theft.
Local file leakage.
CI/CD compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

