CVE-2023-37478 – This vulnerability in pnpm allows attackers to ... (How to Fix)

📋 TL;DR

This vulnerability in pnpm allows attackers to create specially crafted tarballs that appear safe when inspected on npm registry or installed via npm, but execute malicious code when installed via pnpm due to differences in tar archive parsing. This affects all users installing packages via pnpm versions before the patch. Attackers could exploit this to compromise systems through supply chain attacks.

💻 Affected Systems

Products:

pnpm

Versions: All versions before 7.33.4 and 8.6.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects pnpm installations; npm installations of same packages are not vulnerable.

📦 What is this software?

Pnpm by Pnpm

View all CVEs affecting Pnpm →

Pnpm by Pnpm

View all CVEs affecting Pnpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution, data theft, or ransomware deployment through malicious packages that appear legitimate.

🟠

Likely Case

Malicious package installation leading to credential theft, cryptocurrency mining, or backdoor installation in development environments.

🟢

If Mitigated

No impact if using patched pnpm versions or verifying package integrity through other means.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires creating specially crafted tarballs and convincing users to install them via pnpm.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.33.4 or 8.6.8

Vendor Advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Restart Required: No

Instructions:

1. Check current pnpm version: pnpm --version
2. Update pnpm: npm install -g pnpm@latest
3. Verify update: pnpm --version should show 7.33.4+ or 8.6.8+

🔧 Temporary Workarounds

Use npm instead of pnpm

all

Temporarily switch to npm for package installation until pnpm is updated

npm install package-name

Verify package integrity

all

Manually inspect packages before installation or use checksum verification

🧯 If You Can't Patch

Implement strict package source whitelisting and only install from trusted repositories
Use isolated development environments or containers to limit potential damage from malicious packages

🔍 How to Verify

Check if Vulnerable:

Run: pnpm --version and check if version is below 7.33.4 (for v7) or below 8.6.8 (for v8)

Check Version:

pnpm --version

Verify Fix Applied:

After updating, run: pnpm --version and confirm version is 7.33.4+ or 8.6.8+

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes during package installation
Suspicious network connections from pnpm processes

Network Indicators:

Downloads from unusual package sources
Unexpected outbound connections after package installation

SIEM Query:

process_name:pnpm AND (file_create OR network_connection)

📊 Metadata

CVE ID: CVE-2023-37478

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: August 1, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/pnpm/pnpm/releases/tag/v7.33.4 Release Notes
https://github.com/pnpm/pnpm/releases/tag/v8.6.8 Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7 Vendor Advisory
https://github.com/pnpm/pnpm/releases/tag/v7.33.4 Release Notes
https://github.com/pnpm/pnpm/releases/tag/v8.6.8 Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37478, you might also want to check these: