How severe is CVE-2024-53866?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-53866?

This is classified as CWE-426, which is a common weakness in software security.

CVE-2024-53866 - MEDIUM Severity | CVSS N/A

Vulnerability Description

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.

Related Vulnerabilities

CVE-2011-4125

CRITICAL

CVSS:9.8(Critical)

A untrusted search path issue was found in Calibre at devices/linux_mount_helper.c leading to the ability of unprivileged users to execute any program as root.

CWE-4262011

CVE-2017-12414

CRITICAL

CVSS:9.8(Critical)

Format Factory 4.1.0 has a DLL Hijacking Vulnerability because an untrusted search path is used for msimg32.dll, WindowsCodecs.dll, and dwmapi.dll.

CWE-4262017

CVE-2017-2225

CRITICAL

CVSS:9.8(Critical)

Untrusted search path vulnerability in EbidSettingChecker.exe (version 1.0.0.0) allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CWE-4262017

CVE-2018-19486

CRITICAL

CVSS:9.8(Critical)

Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, becaus...

CWE-4262018

CVE-2020-15801

CRITICAL

CVSS:9.8(Critical)

In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) ...

CWE-4262020

CVE-2022-26184

CRITICAL

CVSS:9.8(Critical)

Poetry v1.1.9 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malici...

CWE-4262022