Access Control Bypass Affecting @pnpm/cafs package, versions <7.0.5
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.17% (55th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PNPMCAFS-5812121
- published 1 Aug 2023
- disclosed 1 Aug 2023
- credit Unknown
Introduced: 1 Aug 2023
CVE-2023-37478 Open this link in a new tabHow to fix?
Upgrade @pnpm/cafs
to version 7.0.5 or higher.
Overview
@pnpm/cafs is an A content-addressable filesystem for the packages storage
Affected versions of this package are vulnerable to Access Control Bypass. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm.
References
CVSS Scores
version 3.1