CVE-2024-38366
Published: 01 July 2024
Summary
CVE-2024-38366 is a critical-severity Injection (CWE-74) vulnerability in Cocoapods Trunk.Cocoapods.Org. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-38366 is a remote code execution vulnerability in trunk.cocoapods.org, the authentication server for the CocoaPods dependency manager. The affected component is the email verification logic used during user signup, which relied on an rfc-822 library that performed DNS MX record validation by executing a shell command; improper handling of the lookup response allowed command injection (CWE-74). The issue carried a CVSS 3.1 score of 10.0.
An unauthenticated attacker could exploit the flaw by manipulating the DNS MX response during email verification to execute arbitrary commands on the trunk server, obtaining root-level access to the infrastructure. Successful exploitation would let the attacker modify any Podspec stored in trunk and would have enabled supply-chain compromise of CocoaPods users; the incident resulted in a full user-session reset after discovery.
The vulnerability was fixed server-side in September 2023 via commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3. Public advisories and the CocoaPods security announcement describe the root cause and confirm the patch was applied before the CVE publication date. The associated EPSS score rose from a low baseline to a peak of 0.59, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37280
Vulnerability details
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain…
more
MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-38366 allows RCE via command injection in the email verification process on the public-facing CocoaPods trunk server, enabling exploitation of public-facing applications (T1190) and software supply chain compromise by permitting arbitrary writes to Podspecs (T1195.002).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.