CVE-2024-38367 Overview
CVE-2024-38367 is a critical session hijacking vulnerability in trunk.cocoapods.org, the authentication server for the CocoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated to enable owner session hijacking. Compromising a victim's session results in a full takeover of the CocoaPods trunk account. A threat actor could manipulate pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem.
Critical Impact
Full account takeover of CocoaPods trunk accounts, enabling attackers to manipulate pod specifications and disrupt the supply chain for iOS/macOS applications.
Affected Products
- CocoaPods trunk.cocoapods.org (versions prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97)
Discovery Timeline
- October 2023 - CocoaPods releases security patch (commit d4fa66f49cedab449af9a56a21ab40697b9f7b97)
- 2024-07-01 - CVE-2024-38367 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-38367
Vulnerability Analysis
This vulnerability falls under the category of Session Hijacking (CWE-488: Exposure of Data Element to Wrong Session). The flaw exists in the session verification mechanism of CocoaPods trunk, which is the central authentication server managing package ownership and publishing rights for the CocoaPods ecosystem.
The vulnerability allowed an attacker to manipulate the session verification URL, potentially hijacking owner sessions without any user interaction beyond the victim clicking a verification link. This zero-click account takeover attack defeats email security boundaries by exploiting improper URL construction in the session verification flow.
Given CocoaPods' position as the primary dependency manager for iOS and macOS development, with millions of applications depending on it, this vulnerability posed a significant supply chain risk. An attacker with control over a pod owner's account could push malicious code updates to widely-used libraries.
Root Cause
The root cause lies in how the verification URL was dynamically constructed using request headers (request.scheme and request.host_with_port). This allowed an attacker to control the verification URL by manipulating these request headers, directing the verification link to an attacker-controlled domain and capturing the session token.
Attack Vector
The attack vector is network-based and requires some user interaction (the victim clicking a verification link). An attacker could:
- Initiate a session creation request with manipulated host headers
- Cause the verification URL to point to an attacker-controlled domain
- When the victim clicks the malicious verification link, their session token is sent to the attacker
- The attacker uses the captured token for full account takeover
o.save
end
- url_template = "#{request.scheme}://#{request.host_with_port}/sessions/verify/%s"
+ url_template = ENV['RACK_ENV'] == 'test' ? "#{request.scheme}://#{request.host_with_port}/sessions/verify/%s" : 'https://trunk.cocoapods.org/sessions/verify/%s'
session = owner.create_session!(request.ip, url_template, session_description)
session_attributes = session.public_attributes
session_attributes['token'] = session.token
Source: CocoaPods Commit Details
Detection Methods for CVE-2024-38367
Indicators of Compromise
- Unexpected session verification emails with non-standard URLs (domains other than trunk.cocoapods.org)
- Unauthorized changes to pod specifications or ownership
- Login notifications from unfamiliar IP addresses or geographic locations
- Unexpected new maintainers added to pods
Detection Strategies
- Monitor CocoaPods trunk account activity for unauthorized modifications to pod specifications
- Review email logs for session verification requests with suspicious or non-standard domains
- Audit pod ownership changes and new maintainer additions
- Implement alerting for any account activity originating from unexpected IP addresses
Monitoring Recommendations
- Enable notifications for all account activity on CocoaPods trunk accounts
- Monitor deployed applications for unexpected dependency updates from your managed pods
- Review CocoaPods trunk session logs for anomalous patterns
- Implement integrity monitoring for critical pod specifications
How to Mitigate CVE-2024-38367
Immediate Actions Required
- Verify that your CocoaPods trunk server is updated past commit d4fa66f49cedab449af9a56a21ab40697b9f7b97
- Review all pod specifications for unauthorized changes
- Regenerate API tokens and session credentials for all trunk accounts
- Audit pod ownership and remove any unauthorized maintainers
Patch Information
This vulnerability was patched server-side by CocoaPods in October 2023 with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97. The fix hardcodes the production trunk URL (https://trunk.cocoapods.org/sessions/verify/%s) instead of dynamically constructing it from request headers. For additional details, see the CocoaPods Blog Post and the GitHub Security Advisory GHSA-52gf-m7v9-m333.
Workarounds
- Carefully inspect all session verification emails before clicking links, ensuring they point to trunk.cocoapods.org
- Use email security solutions that can detect and block emails with suspicious verification URLs
- Implement additional authentication factors for critical pod management operations
- Consider signing pod releases with GPG keys for additional verification
# Verify your CocoaPods trunk session status
pod trunk me
# Review registered sessions and revoke suspicious ones
pod trunk info [POD_NAME]
# Check for any unauthorized changes to your pod
pod trunk owners [POD_NAME]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
