pnpm, Path Traversal, CVE-2024-28199 (Critical)

Listen to this Post

How the Vulnerability (CVE-2024-28199) Works

This critical vulnerability in pnpm’s package installation process is a path traversal attack stemming from flawed validation and normalization of binary command names specified in a package’s `bin` field. The exploit chain begins when pnpm processes a malicious package containing a `bin` key that starts with an `@` symbol (e.g., "@scope/../../../evil"). The validation logic explicitly allows any bin name starting with `@` to pass through without checking for directory traversal sequences (../). Subsequently, a normalization function attempts to handle scoped package names by stripping the scope prefix (everything up to and including the first /). For the input @scope/../../../evil, this normalization outputs ../../../evil, preserving the full path traversal payload. Finally, this normalized, malicious string is passed unsanitized to Node.js’s `path.join()` function when creating symlinks. This causes pnpm to create the executable shim or symlink in a directory completely outside the isolated `node_modules/.bin` folder, dictated by the number of `../` sequences, allowing arbitrary file write in the project’s root directory or parent directories.

dailycve form

Platform: pnpm
Version: < 8.15.4
Vulnerability: Path Traversal
Severity: Critical
date: 2024-03-20

Prediction: Patched 2024-03-20

What Undercode Say

Analytics

Craft malicious package.json
cat > package.json << 'EOF'
{
"name": "malicious-pkg",
"bin": {
"@scope/../../.npmrc": "./evil.js"
}
}
EOF
Package and install locally
npm pack
pnpm add ./malicious-pkg-1.0.0.tgz
Check for file creation outside node_modules
ls -la .npmrc

How Exploit

  1. Attacker publishes a malicious npm package with a crafted `bin` field.
  2. The `bin` key name uses an `@` prefix and contains path traversal sequences (e.g., @scope/../../../target-file).
  3. Victim installs the package using a vulnerable version of pnpm (pnpm add malicious-pkg).
  4. During installation, pnpm’s validation bypass and incomplete normalization allow the traversal payload to reach path.join().
  5. A symlink or shim for the binary is created at the calculated location (e.g., `./target-file` in the project root), overwriting any existing file.

Protection from this CVE

Update pnpm immediately to version 8.15.4 or later. The patch enforces proper validation and path sanitization for all `bin` names, including those with an `@` prefix, preventing traversal sequences from being retained.

Impact

Arbitrary file creation/write in the installation directory. Can overwrite critical configuration files (e.g., .npmrc, CI scripts), potentially leading to credential theft, remote code execution, and compromise of CI/CD pipelines.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top