pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
History

Fri, 11 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-01T11:43:04.080Z

Updated: 2024-10-10T16:00:56.935Z

Reserved: 2023-07-06T13:01:36.999Z

Link: CVE-2023-37478

cve-icon Vulnrichment

Updated: 2024-08-02T17:16:30.881Z

cve-icon NVD

Status : Modified

Published: 2023-08-01T12:15:09.937

Modified: 2024-11-21T08:11:47.787

Link: CVE-2023-37478

cve-icon Redhat

No data.