CVE-2023-37478

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 7.33.4 pnpm versions prior to 8.6.8

Description The issue arises from how pnpm parses tar archives, allowing a tarball to be constructed that appears safe when installed via npm or parsed by the registry but is malicious when installed via pnpm. This can result in a package that seems safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. The TAR format's append-only nature and the specification for updating files can lead to multiple copies of a file, such as package.json, in an archive, with the expected behavior being that all versions other than the last are ignored during extraction. However, pnpm extracts only the first file of a given name and discards subsequent files with the same name.

Recommendations For pnpm versions prior to 7.33.4, update to version 7.33.4 or later. For pnpm versions prior to 8.6.8, update to version 8.6.8 or later. As a temporary workaround, consider avoiding the use of pnpm for installing packages until a patched version is applied.