We use cookies to improve your experience on our site.
AVID-2026-R1281
Description
Trojan Lockfilein pdm (CVE-2023-45805)
Details
pdm is a Python package and dependency manager supporting the latest PEP standards. It’s possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project foo can be targeted by creating the project foo-2 and uploading the file foo-2-2.tar.gz to pypi.org. PyPI will see this as project foo-2 version 2, while PDM will see this as project foo version 2-2. The version must only be parseable as a version and the filename must be a prefix of the project name, but it’s not verified to match the version being installed. Version 2-2 is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what’s actually installed could differ from what’s listed in pyproject.toml (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. This issue has been addressed in commit 6853e2642df which is included in release version 2.9.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reason for inclusion in AVID: The vulnerability targets a Python dependency manager (pdm) used to build/install dependencies in AI pipelines. By crafting a malicious pdm.lock, an attacker can cause arbitrary code execution during installation, or mis-dependency resolution, affecting software used to train/serve AI systems. This is a software supply chain vulnerability in components (dependency management, install process) used to build/run AI systems. The report provides CVE details, impact, and fix version, satisfying sufficient evidence.
References
- NVD entry
- https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9
- https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831
- https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229
- https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99
- https://peps.python.org/pep-0440/#post-release-spelling
Affected or Relevant Artifacts
- Developer: pdm-project
- Deployer: pdm-project
- Artifact Details:
| Type | Name |
|---|---|
| System | pdm |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Base Score | 7.8 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20: Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-10-20
- Version: 0.3.3
- AVID Entry