Main Vulnerability Database SB2023080177

SB2023080177 - Interpretation Conflict in pnpm

Published: August 1, 2023 Updated: April 27, 2026

Security Bulletin ID SB2023080177

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Interpretation Conflict (CVE-ID: CVE-2023-37478)

The vulnerability allows a remote attacker to cause installation of a malicious package version.

The vulnerability exists due to improper handling of duplicate archive entries in tar archive parsing in tar archive extraction in pnpm when processing a crafted tarball. A remote attacker can supply a specially crafted package tarball to cause installation of a malicious package version.

The issue arises because pnpm uses the first file with a given name in the archive, while other package managers are expected to use the last matching entry after path component stripping.

Remediation

Install update from vendor's website.

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7