pnpm, Path Traversal, CVE-2024-0000 (Critical)

Listen to this Post

How the CVE Works

pnpm’s package installation process handles executable binaries defined in a package’s `directories.bin` field. The vulnerable code in `package-bins/src/index.ts` uses `path.join()` to resolve the specified `directories.bin` path relative to the package root. However, it fails to validate if the resolved path remains within the package’s directory boundary. A malicious package can define "directories": {"bin": "../../../../tmp"}. When pnpm processes this, `path.join()` resolves it to an absolute path outside the package, like /tmp. pnpm then scans this external directory for files and incorrectly applies `chmod 755` to any found non-dotfiles, making potentially sensitive world-readable and executable.

dailycve form:

Platform: pnpm
Version: <8.15.4
Vulnerability: Path Traversal
Severity: Critical
date: 2024-12-31

Prediction: Patch 2024-01-15

What Undercode Say:

Malicious package.json
echo '{"name":"malicious","directories":{"bin":"../../../../tmp/target"}}' > package.json
Vulnerable Code Snippet (index.ts:15-21)
if (manifest.directories?.bin) {
const binDir = path.join(pkgPath, manifest.directories.bin) // NO VALIDATION
const files = await findFiles(binDir)
// ... chmod 755 files
}
Check file permissions
ls -la /tmp/target/secret.sh

How Exploit:

1. Attacker publishes malicious npm package.

2. Package defines `directories.bin` with path traversal.

3. Victim installs package via `pnpm add`.

4. pnpm changes permissions on targeted external files.

Protection from this CVE:

Upgrade pnpm >=8.15.4.

Validate `isSubdir(pkgPath, binDir)`.

Impact:

Supply-chain attack.

Arbitrary file permission changes.

Unix/Linux/macOS only.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top