Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade @pnpm/config to version 1004.11.3 or higher.
Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the handling of configDependencies from pnpm-workspace.yaml, where installDeps.ts resolves and spawns a repository-selected native install engine without verifying that the repository is authorized to choose one. An attacker can execute a registry-selected native binary with the victim's filesystem, environment, registry and git or SSH credentials, and network access by publishing a repository that declares pacquet or @pnpm/pacquet in configDependencies, which is then run from node_modules/.pnpm-config. Exploitation requires the victim to run a dependency-management command such as pnpm install in the malicious repository.