Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasion
Vulnerability Description
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.
CVSS Information
N/A
Vulnerability Type
不可信的搜索路径
Vulnerability Title
pnpm 代码问题漏洞
Vulnerability Description
pnpm是pnpm开源的一个包管理器。 pnpm 9.14.4及之前版本存在代码问题漏洞,该漏洞源于存在处理覆盖和全局缓存不当的漏洞,可导致在后续安装中运行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A