CVE-2024-38368: 
Ruby vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-38368) was discovered in CocoaPods, affecting older pods that migrated from the pre-2014 pull request workflow to trunk. The vulnerability, which has a CVSS score of 9.9, allowed attackers to take control of orphaned pods (packages that had never been claimed or had all owners removed) and potentially modify their contents. This issue affected the CocoaPods dependency manager, which is used by over three million applications across the Apple ecosystem (SecurityWeek, HackerNews).

The vulnerability stemmed from the 2014 migration to a Trunk server, which reset authorship for all pods. While authors were asked to claim ownership of their pods, 1,866 packages remained orphaned. These unclaimed pods were automatically associated with a default owner using the email address 'unclaimed-pods@cocoapods.org'. The vulnerability allowed attackers to exploit a public API endpoint for claiming pods without any ownership verification process (EVA Security).

The vulnerability potentially affected thousands of applications and millions of devices across the Apple ecosystem. Researchers found mentions of orphaned pods in applications provided by major companies including Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), Microsoft (Teams), as well as TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, and Zynga. Overall, 685 pods were identified that had explicit dependencies using orphaned pods (SecurityWeek).

CocoaPods addressed these vulnerabilities server-side in September and October 2023, and exploitation is no longer possible. The team also reset all user sessions as a precautionary measure. The 'Claim Your Pods' feature has been removed from the system (CocoaPods Blog).