CVE-2024-53866: 
JavaScript vulnerability analysis and mitigation

The package manager pnpm prior to version 9.15.0 contains a vulnerability related to mishandling of overrides and global cache. The issue was discovered and disclosed on December 10, 2024, affecting all versions up to and including 9.14.4. This vulnerability allows workspace overrides to leak into npm metadata saved in global cache, which can then affect other workspaces, while installs by default don't revalidate the data (GitHub Advisory).

The vulnerability stems from how pnpm handles workspace overrides and global cache interactions. When overrides are used in one workspace, they can leak into the npm metadata stored in the global cache (e.g., ~/Library/Caches/pnpm/metadata/registry.npmjs.org/). This cached metadata then affects other workspaces, and installations don't properly revalidate the data, even during initial lockfile generation. The issue has been assigned a CVSS v4.0 score of 5.8 (Moderate), with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability can enable a workspace A (even when running with ignore-scripts=true) to poison the global cache and execute scripts in workspace B. This breaks the expected security model where users rely on ignore-scripts to prevent immediate code execution during installation. The impact extends to global state integrity being compromised through operations that would typically be considered secure, potentially leading to arbitrary code execution during package installations (GitHub Advisory).

The vulnerability has been fixed in pnpm version 9.15.0. As a temporary workaround, users can use separate cache and store directories in each workspace to prevent cross-workspace contamination. The fix prevents metadata mutations from being saved to the cache (GitHub Advisory, GitHub Commit).