GHSA-hg3w-7f8c-63hpMedium
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
🔗 CVE IDs covered (1)
📋 Description
Summary
A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile.
Details
The lockfile does not store the hash of the dependencies from https://codeload.github.com
This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies.
PoC
> pnpm -v
10.28.2
Given the following package.json:
{
"dependencies": {
"add": "git://github.com/dsherret/npm-git-dep.git#b3eeb9b"
}
}
This produces a lockfile like so:
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
importers:
.:
dependencies:
add:
specifier: git://github.com/dsherret/npm-git-dep.git#b3eeb9b
version: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b
packages:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b:
resolution: {tarball: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b}
version: 1.0.0
snapshots:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: {}
Notice that there is no hash. The b3eeb9b is not sufficient because I can configure my machine to resolve a compromised tarball from that url (I tested it out and pnpm just installs it).
Impact
Anyone relying on github git dependencies.
🎯 Affected products2
- npm/pnpm:< 10.33.4
- npm/pnpm:>= 11.0.0, < 11.0.7