pnpm Arbitrary Code Execution Vulnerability in Git-Hosted Dependencies

A vulnerability in pnpm, a package manager, allows git-hosted dependencies to execute arbitrary code during the installation process. This issue affects pnpm versions 10.0.0 prior to 10.26.0. The vulnerability bypasses a security feature introduced in pnpm v10 that disables dependency lifecycle scripts by default. While postinstall scripts are blocked, git dependencies can still run prepare, prepublish, and prepack scripts during the fetch phase, leading to remote code execution without user consent.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's machine, with the potential to exfiltrate environment variables, secrets, and credentials, modify source code, inject backdoors, establish persistence or reverse shells, and access the filesystem and network.

Reproduction

To reproduce this vulnerability, create a malicious package with a prepare script that executes a command, such as writing a file. Host this package in a git repository. Then, create a project that depends on this package using a git dependency link. When 'pnpm install' is run, the prepare script will execute without any warnings, demonstrating the bypass of the security feature that disables lifecycle scripts by default.

Remediation

Users can update to pnpm version 10.26.0 or later, where this vulnerability has been fixed.