CVE-2023-37478

HIGH

pnpm < 7.33.4 - Improper Access Control via Tarball Parsing

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-37478. PoCs published by TrevorGKann, li-minhao.

AI-analyzed exploit summary This PoC demonstrates CVE-2023-37478, exploiting a difference in how `npm` and `pnpm` handle tarball installations. The exploit leverages a maliciously crafted tarball with two versions of a package, where `pnpm` installs the older, malicious version due to its handling of tarball contents.

Description

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

Exploits (2)

nomisec WORKING POC

by TrevorGKann · poc

https://github.com/TrevorGKann/CVE-2023-37478_npm_vs_pnpm

View Code ZIP pw:eip

This PoC demonstrates CVE-2023-37478, exploiting a difference in how `npm` and `pnpm` handle tarball installations. The exploit leverages a maliciously crafted tarball with two versions of a package, where `pnpm` installs the older, malicious version due to its handling of tarball contents.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: pnpm versions before the fix (e.g., v8.6.7)

No auth needed

Prerequisites: Vulnerable version of pnpm · Ability to distribute a malicious tarball

MITRE ATT&CK

T1195.002 - Compromise Software Supply Chain

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by li-minhao · poc

https://github.com/li-minhao/CVE-2023-37478-Demo

View Code ZIP pw:eip

This repository demonstrates CVE-2023-37478, a vulnerability in a Tic-Tac-Toe game where the `calculateWinner` function in the bad version always returns 'O' as the winner, regardless of the actual game state. The PoC includes both vulnerable and patched versions for comparison.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Tic-Tac-Toe game (custom implementation)

No auth needed

Prerequisites: Access to the vulnerable Tic-Tac-Toe game implementation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7

Release Notes x_refsource_misc

https://github.com/pnpm/pnpm/releases/tag/v7.33.4

Release Notes x_refsource_misc

https://github.com/pnpm/pnpm/releases/tag/v8.6.8

Scores

CVSS v3 7.5

EPSS 0.0230

EPSS Percentile 85.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (10)

npm/pnpm 0 - 7.33.4npm

pnpm/cafs 0 - 7.0.5npm

pnpm/exe 0 - 7.33.4npm

pnpm/linux-arm64 0 - 7.33.4npm

pnpm/linux-x64 0 - 7.33.4npm

pnpm/linuxstatic-arm64 0 - 7.33.4npm

pnpm/macos-arm64 0 - 7.33.4npm

pnpm/macos-x64 0 - 7.33.4npm

pnpm/pnpm < 7.33.4

pnpm/win-x64 0 - 7.33.4npm

Published Aug 01, 2023

Tracked Since Feb 18, 2026