CVE-2023-37478
Last modified
CVE-2023-37478 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. EPSS estimates a 0.93% chance of exploitation in the next 30 days.
Description
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pnpm | Pnpm | < 7.33.4 |
| Pnpm | Pnpm | >= 8.0.0, < 8.6.8 |
References
- https://github.com/pnpm/pnpm/releases/tag/v7.33.4Release Notes
- https://github.com/pnpm/pnpm/releases/tag/v8.6.8Release Notes
- https://github.com/pnpm/pnpm/releases/tag/v7.33.4Release Notes
- https://github.com/pnpm/pnpm/releases/tag/v8.6.8Release Notes
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-37478?
How severe is CVE-2023-37478?
How do I fix CVE-2023-37478?
Are you affected by CVE-2023-37478?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST