CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53866 – pnom vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasion
https://notcve.org/view.php?id=CVE-2024-53866
10 Dec 2024 — The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent ... • https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743 • CWE-426: Untrusted Search Path •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2CVE-2023-37478 – pnpm incorrectly parses tar archives relative to specification
https://notcve.org/view.php?id=CVE-2023-37478
01 Aug 2023 — pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8. • https://github.com/li-minhao/CVE-2023-37478-Demo • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-26183
https://notcve.org/view.php?id=CVE-2022-26183
21 Mar 2022 — PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS. Se ha detectado que PNPM versión v6.15.1 y anteriores, contiene una ruta de búsqueda no confiable que causa a la aplicación comportarse de manera no esperada cuando usuarios ejecutan comandos de PNPM en un directorio que contiene con... • https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb • CWE-426: Untrusted Search Path •