A trio of security flaws has been uncovered in the CocoaPods<\/a> dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks.<\/p>\n The vulnerabilities allow “any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications,” E.V.A Information Security researchers Reef Spektor and Eran Vaknin said<\/a> in a report published today.<\/p>\n The Israeli application security firm said the three issues have since been patched<\/a> by CocoaPods as of October 2023. The project maintainers also reset all user sessions at the time in response to the disclosures.<\/p>\n One of the vulnerabilities is CVE-2024-38368<\/a> (CVSS score: 9.3), which makes it possible for an attacker to abuse the “Claim Your Pods<\/a>” process and take control of a package, effectively allowing them to tamper with the source code and introduce malicious changes. However, this required that all prior maintainers have been removed from the project.<\/p>\n The roots of the problem go back to 2014, when a migration to the Trunk server<\/a> left thousands of packages with unknown (or unclaimed<\/a>) owners, permitting an attacker to use a public API for claiming pods and an email address that was available in the CocoaPods source code (“unclaimed-pods@cocoapods.org”) to take over control.<\/p>\n The second bug is even more critical (CVE-2024-38366<\/a>, CVSS score: 10.0) and takes advantage of an insecure email verification workflow to run arbitrary code on the Trunk server, which could then be used to manipulate or replace the packages.<\/p>\n![\"Cybersecurity\"](\"https:\/\/www.blog.lineasdns.com\/wp-content\/uploads\/2025\/01\/Supply-Chain-Attack.gif\")
<\/a><\/center><\/div>\n