Listen to this Post
How the Vulnerability (CVE-2024-28199) Works
This critical vulnerability in pnpm’s package installation process is a path traversal attack stemming from flawed validation and normalization of binary command names specified in a package’s `bin` field. The exploit chain begins when pnpm processes a malicious package containing a `bin` key that starts with an `@` symbol (e.g., "@scope/../../../evil"). The validation logic explicitly allows any bin name starting with `@` to pass through without checking for directory traversal sequences (../). Subsequently, a normalization function attempts to handle scoped package names by stripping the scope prefix (everything up to and including the first /). For the input @scope/../../../evil, this normalization outputs ../../../evil, preserving the full path traversal payload. Finally, this normalized, malicious string is passed unsanitized to Node.js’s `path.join()` function when creating symlinks. This causes pnpm to create the executable shim or symlink in a directory completely outside the isolated `node_modules/.bin` folder, dictated by the number of `../` sequences, allowing arbitrary file write in the project’s root directory or parent directories.
dailycve form
Platform: pnpm
Version: < 8.15.4
Vulnerability: Path Traversal
Severity: Critical
date: 2024-03-20
Prediction: Patched 2024-03-20
What Undercode Say
Analytics
Craft malicious package.json
cat > package.json << 'EOF'
{
"name": "malicious-pkg",
"bin": {
"@scope/../../.npmrc": "./evil.js"
}
}
EOF
Package and install locally
npm pack
pnpm add ./malicious-pkg-1.0.0.tgz
Check for file creation outside node_modules
ls -la .npmrc
How Exploit
- Attacker publishes a malicious npm package with a crafted `bin` field.
- The `bin` key name uses an `@` prefix and contains path traversal sequences (e.g.,
@scope/../../../target-file). - Victim installs the package using a vulnerable version of pnpm (
pnpm add malicious-pkg). - During installation, pnpm’s validation bypass and incomplete normalization allow the traversal payload to reach
path.join(). - A symlink or shim for the binary is created at the calculated location (e.g., `./target-file` in the project root), overwriting any existing file.
Protection from this CVE
Update pnpm immediately to version 8.15.4 or later. The patch enforces proper validation and path sanitization for all `bin` names, including those with an `@` prefix, preventing traversal sequences from being retained.
Impact
Arbitrary file creation/write in the installation directory. Can overwrite critical configuration files (e.g., .npmrc, CI scripts), potentially leading to credential theft, remote code execution, and compromise of CI/CD pipelines.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

