Critical vulnerabilities were discovered in the CocoaPods dependency manager that could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts. The vulnerabilities, tracked as CVE-2024-38368 (CVSS score of 9.9), CVE-2024-38366 (CVSS score of 9.0), and CVE-2024-38367 (CVSS score of 8.0), could have potentially impacted millions of iOS and macOS applications.
The first vulnerability allowed attackers to take over orphaned pods, while the second vulnerability was a remote code execution bug that executed shell commands on the Trunk server. The third vulnerability allowed attackers to hijack a pod owner’s session and take over the CocoaPods trunk account.
The vulnerabilities were exploited by manipulating the email verification process during the registration of a developer as a pod owner. This could have led to an attacker dumping all pod owners’ session tokens, poisoning clients’ traffic, or even shutting down the server completely.
CocoaPods addressed these vulnerabilities server-side in September and October 2023, making exploitation no longer possible.