Three security flaws were discovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to perform software supply chain attacks and expose downstream customers to serious risks.
In a report published today, EVA Information Security researchers Leif Spector and Eran Vaknin said the vulnerability could allow “malicious actors to claim ownership of thousands of unclaimed pods and inject malicious code into many of the most popular iOS and macOS applications.”
The Israeli application security firm said the three issues were fixed by CocoaPods by October 2023. The company also reset all user sessions at that time in response to the disclosures.
One of the vulnerabilities is CVE-2024-38368 (CVSS score: 9.3), which allows attackers to exploit the “Claim Your Pods” process to take control of packages and tamper with the source code to make malicious changes, but to do this, all previous maintainers must be removed from the project.
The roots of this issue date back to 2014, when a migration to trunk servers left thousands of packages with unknown (or unclaimed) owners, allowing attackers to take control via the public API for claiming pods and an email address available in the CocoaPods source code (“unclaimed-pods@cocoapods.org”).
The second bug is more severe (CVE-2024-38366, CVSS score: 10.0) and could be used to execute arbitrary code on the Trunk server by leveraging an insecure email validation workflow, thus manipulating or replacing packages.
The service also identified a second issue (CVE-2024-38367, CVSS score: 8.2) in its email address validation component that could trick a recipient into clicking a seemingly harmless validation link that actually redirects the request to an attacker-controlled domain in order to access the developer’s session token.
Even worse, by spoofing HTTP headers (i.e. modifying the X-Forwarded-Host header field) and taking advantage of misconfigured email security tools, this can even lead to a zero-click account takeover attack.
“We found that almost all of the pod owners had their organizational emails registered on the trunk server, making them vulnerable to the zero-click takeover vulnerability,” the researchers said.
This isn’t the first time CocoaPods has come under scrutiny: In March 2023, Checkmarx revealed that an abandoned subdomain associated with the dependency manager (“cdn2.cocoapods(.)org”) had been hijacked by attackers via GitHub Pages and potentially used to host payloads.
