Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks

Critical vulnerabilities were discovered in the CocoaPods dependency manager that could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts. The vulnerabilities, tracked as CVE-2024-38368 (CVSS score of 9.9), CVE-2024-38366 (CVSS score of 9.0), and CVE-2024-38367 (CVSS score of 8.0), could have potentially impacted millions of iOS and macOS applications.

The first vulnerability allowed attackers to take over orphaned pods, while the second vulnerability was a remote code execution bug that executed shell commands on the Trunk server. The third vulnerability allowed attackers to hijack a pod owner’s session and take over the CocoaPods trunk account.

The vulnerabilities were exploited by manipulating the email verification process during the registration of a developer as a pod owner. This could have led to an attacker dumping all pod owners’ session tokens, poisoning clients’ traffic, or even shutting down the server completely.

CocoaPods addressed these vulnerabilities server-side in September and October 2023, making exploitation no longer possible.

Read more

Sign up to receive daily content in your inbox

We don’t spam! Read our privacy policy for more info.

Share This Article

Leave Comment

Your email address will not be published. Required fields are marked *

Daily Newsletter

Subscribe to our free daily newsletter to get the latest summarized updates