pnpm Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in pnpm, a package manager, affecting versions 6.25.0 prior to 10.27.0. The issue arises when environment variable substitution is used in .npmrc files with tokenHelper settings. An attacker who can manipulate environment variables during pnpm operations could execute arbitrary code in build environments.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the user running the pnpm command, potentially leading to unauthorized actions or access within the environment.

Reproduction

To reproduce this vulnerability, create a .npmrc file that includes a tokenHelper setting with an environment variable reference. The pnpm command will then substitute the variable with the path to a malicious script. When pnpm executes the command, it will run the script as a helper, resulting in remote code execution.

Remediation

Users can update to pnpm version 10.27.0 or later, where this vulnerability has been patched. Alternatively, tokenHelper settings can be disabled or replaced with direct authentication tokens for npm registries.