cocoapods - isotope¹³

Incident Summary

CocoaPods Orphaned Pods and RCE Vulnerabilities

EVA Information Security discovered three critical CocoaPods vulnerabilities that had existed for nearly a decade. The flaws allowed orphaned package takeover, Trunk server code execution through email validation, and zero-click account takeover. Because CocoaPods sits under a vast iOS and macOS dependency graph, exploitation could have redirected trusted mobile builds at registry scale.

Date: 2014-05-01 to 2023-10-31
Category: Open Source
Target Surface: Package registry
Insertion Phase: source
Impact: Code Execution
Cause: Vulnerable Infrastructure

What Was Affected

Package cocoapods

LanguageRuby

ComponentPackage Manager

Artifact typepackage registry

Domain typepackage host

Domain cocoapods.org

Repository github.com/CocoaPods/CocoaPods

Incident Context

Motive: Exploitation/Injection
Attribution: Third Party
Transitive: No
User Impact: 3000000
Observed Duration: 3470 days

External References

evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods

Source Data

Source record: oss/cocoapods/meta.yaml