CVE-2023-37478: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-37478) was discovered in pnpm, a package manager, affecting versions prior to 7.33.4 and versions 8.0.0 through 8.6.8. The vulnerability relates to how pnpm incorrectly parses tar archives, allowing the construction of tarballs that appear safe when installed via npm or parsed by the registry but become malicious when installed via pnpm. This vulnerability was disclosed on August 1, 2023 (GitHub Advisory).

The vulnerability stems from pnpm's handling of the TAR format, which is an append-only archive format. According to the specification, when updating a file in a TAR archive, a new record should be added to the end with the updated version, and during extraction, all versions except the last should be ignored. However, pnpm's implementation using tar-stream extracts only the first file of a given name and discards subsequent files with the same name, contrary to the specification. This behavior is particularly problematic because package managers are configured to drop the first path component during tarball extraction, allowing collisions through multiple root folders in the archive (GitHub Advisory).

The vulnerability can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This discrepancy in package content could lead to the execution of malicious code or the installation of vulnerable dependencies without the user's knowledge (GitHub Advisory).

The vulnerability has been patched in pnpm versions 7.33.4 and 8.6.8. Users are strongly advised to upgrade to these or later versions. The fix ensures that when the same file is appended multiple times into a tarball, the last occurrence is selected when unpacking the tarball (Release Notes, Release Notes).