CVE-2024-38366

CRITICAL

trunk.cocoapods.org - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-38366. PoCs published by ReeFSpeK.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-38366, a remote code execution vulnerability in CocoaPods Trunk Server. It explains the root cause, code flow, and exploitation steps, including bypassing input validation and MX record manipulation.

Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

Exploits (1)

nomisec WRITEUP 1 stars

by ReeFSpeK · poc

https://github.com/ReeFSpeK/CocoaPods-RCE_CVE-2024-38366

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-38366, a remote code execution vulnerability in CocoaPods Trunk Server. It explains the root cause, code flow, and exploitation steps, including bypassing input validation and MX record manipulation.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: CocoaPods Trunk Server (master branch at time of research)

No auth needed

Prerequisites: Control over a domain with configurable MX records · Ability to host a payload server · Network access to the target Trunk Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_confirm

https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-x2x4-g675-qg7c

Vendor Advisory x_refsource_misc

https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023

Exploit, Third Party Advisory x_refsource_misc

https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#2-remote-code-execution-on-the-cocoapods-trunk-server

Scores

CVSS v3 10.0

EPSS 0.1765

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-74

Status published

Products (1)

cocoapods/trunk.cocoapods.org < 2023-09-22

Published Jul 01, 2024

Tracked Since Feb 18, 2026