Main Vulnerability Database Vulnerabilities #VU128176

Interpretation Conflict in pnpm - CVE-2023-37478

Published: August 1, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128176

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37478

CWE-ID: CWE-436

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
pnpm

Software vendor:
pnpm

Description

The vulnerability allows a remote attacker to cause installation of a malicious package version.

The vulnerability exists due to improper handling of duplicate archive entries in tar archive parsing in tar archive extraction in pnpm when processing a crafted tarball. A remote attacker can supply a specially crafted package tarball to cause installation of a malicious package version.

The issue arises because pnpm uses the first file with a given name in the archive, while other package managers are expected to use the last matching entry after path component stripping.

Remediation

Install security update from vendor's website.

External links

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Interpretation Conflict in pnpm - CVE-2023-37478

Description

Remediation

External links

Please verify you're human