CVE-2024-53866 – This vulnerability in pnpm package manager allo... (How to Fix)

📋 TL;DR

This vulnerability in pnpm package manager allows malicious npm packages to bypass security controls and execute arbitrary code during installation. It affects all users running pnpm versions before 9.15.0, particularly those using workspaces with the ignore-scripts setting, which fails to prevent code execution as expected.

💻 Affected Systems

Products:

pnpm

Versions: All versions prior to 9.15.0

Operating Systems: All operating systems where pnpm runs

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default configurations using workspaces with global cache. The ignore-scripts=true setting does not prevent exploitation.

📦 What is this software?

Pnpm by Pnpm

View all CVEs affecting Pnpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution during package installation, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious packages executing scripts during installation to steal credentials, install malware, or modify system configurations.

🟢

If Mitigated

Limited impact if using separate cache directories per workspace or isolated environments, though still vulnerable to cache poisoning attacks.

🌐 Internet-Facing: HIGH - Package managers frequently download from public repositories, making internet-facing systems prime targets for supply chain attacks.

🏢 Internal Only: MEDIUM - Internal development environments and CI/CD pipelines remain vulnerable to malicious internal packages or compromised dependencies.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires convincing users to install a malicious package, but the attack chain is straightforward once the package is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.15.0

Vendor Advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r

Restart Required: No

Instructions:

1. Update pnpm globally: npm install -g pnpm@9.15.0
2. Update pnpm in each project: pnpm add -g pnpm@9.15.0
3. Clear global cache: pnpm store prune
4. Regenerate lockfiles in all workspaces

🔧 Temporary Workarounds

Use separate cache directories

all

Isolate each workspace by using unique cache and store directories to prevent cross-workspace contamination.

export PNPM_STORE_DIR=/unique/path/for/workspace
export PNPM_CACHE_DIR=/unique/cache/path

🧯 If You Can't Patch

Implement strict package source controls and only install from trusted internal registries
Run pnpm in isolated containers or virtual machines with no persistent cache between runs

🔍 How to Verify

Check if Vulnerable:

Check pnpm version: pnpm --version. If version is less than 9.15.0, you are vulnerable.

Check Version:

pnpm --version

Verify Fix Applied:

Confirm pnpm version is 9.15.0 or higher: pnpm --version

📡 Detection & Monitoring

Log Indicators:

Unexpected script execution during pnpm install
Cache directory modifications from unexpected sources
Package installation failures with script execution errors

Network Indicators:

Downloads from unexpected package repositories
Unusual network traffic patterns during package installation

SIEM Query:

Process execution where parent process contains 'pnpm' and command contains unexpected script names or suspicious patterns

📊 Metadata

CVE ID: CVE-2024-53866

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-426

Published: December 10, 2024

Last Updated: September 22, 2025

🔗 References

https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743 Patch
https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53866, you might also want to check these: