Critical flaws reported in CocoaPods dependency manager for iOS/macOS

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a widely used dependency manager for Swift and Objective-C projects.

CocoaPods is a critical component in the iOS and macOS development ecosystem, used in over three million mobile applications. The vulnerabilities potentially expose millions of Apple devices to supply chain attacks by allowing attackers to claim ownership of orphaned packages, execute arbitrary code on the CocoaPods ‘Trunk’ server, and perform zero-click account takeovers.

Vulnerability Details:

1. CVE-2024-38366 (CVSS score 10.0) - Remote Code Execution on Trunk Server - A flaw in the email verification process allows attackers to execute arbitrary code on the server managing package distribution.

2. CVE-2024-38368 (CVSS score 9.3) - Unauthorized Ownership of Orphaned Pods - Attackers can claim ownership of any of the 1,866 orphaned pods, potentially injecting malicious code into widely-used packages.

3. CVE-2024-38367, (CVSS score 8.2) - Zero-Click Account Takeover - By exploiting the X-Forwarded-Host header and email security tools, attackers can gain unauthorized access to developer accounts.

The vulnerabilities affect a significant portion of the Swift and Objective-C application ecosystem, potentially impacting thousands to millions of apps across iOS, macOS, and other Apple platforms.

Developers and organizations using CocoaPods are advised to review dependency lists and validate checksums of third-party libraries, perform security scans to detect malicious code or suspicious changes, keep software updated and limit the use of orphaned or unmaintained packages, verify that no orphaned Pods are in use and ensure (as much as possible) that third-party dependencies are actively maintained with clear ownership.

The CocoaPods team has been informed of these vulnerabilities and has patched them.