pnpm incorrectly parses tar archives relative to specification

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

访问控制不恰当

pnpm 访问控制错误漏洞

Github PNPM是快速、节省磁盘空间的包管理器。 pnpm 7.33.4 之前版本和 8.6.8之前版本存在访问控制错误漏洞，该漏洞源于在 npm 注册表上或通过 npm 安装时显示为安全的包在通过 pnpm 安装时被受损或恶意版本替换。

N/A

N/A