Security News > 2021 > April > Vulnerability in CocoaPods Dependency Manager Exposed Millions of Apps
A remote code execution vulnerability identified on the central CocoaPods server could have allowed an attacker to poison any package download, security researcher Max Justicz reveals.
A dependency manager for Swift and Objective-C Cocoa projects, CocoaPods has more than 82,000 libraries and is being used in over 3 million applications.
The vulnerability was disclosed to CocoaPods on Monday, and a patch was deployed server-side on the same day.
"The exploit is a combination of un-sanitized user input getting through to a git call param which can be used to send remote payloads," CocoaPods developer Orta Therox explains.
The change also breaks automated deployments to CocoaPods and requires developers to replace their COCOAPODS TRUNK TOKEN. This ensures that no one else has access to one's pods.
The vulnerability was introduced in 2015 but, despite the long time during which the flaw resided on the server, the CocoaPods team doesn't believe that the CocoaPods Specs repo has been tampered with.