CocoaPods Blog

CocoaPods Trunk: 3 Remote Code Execution found, 2023

Over the last month, security researchers at evasec.io have been reached out to us about three separate vulnerabilities in CocoaPods Trunk (the server which handles updates to Pods). We've been working with evasec to patch these issues as they come up. Looking at all three combined, I felt we needed to reset all user sessions again, which is why I'm writing on the blog post instead of working on Puzzmo which just shipped this week.

There are three key issues reported against Trunk, which were promptly fixed:

  • 1. It was still possible to use the 'claim your pod' process to take over a Pod when someone had removed all prior maintainers from it
  • 2. The email which is sent out to verify your email address can be tricked to change to link to a third party
  • 3. The part of trunk which verifies your email address could be used to execute shell commands on the trunk server

Being able to execute arbitrary shell commands on the server gave a possible attacker the ability to read our environment variables, which could be used to write to the CocoaPods/Specs repo and read the trunk database. Being able to trick people into clicking on a link which would take them to a third party site could be used to steal their session keys. I can't guarantee neither of these happened, and I'd rather be on the safe side.

This means you will need to log in again to trunk again to deploy any new Podspecs. If you have automated deployment to CocoaPods working with a stored ENV VAR right now, this will break, and you will need to pod trunk register again and replace your COCOAPODS_TRUNK_TOKEN. We're sorry, I know that sucks, but it also guarantees that you are the only person with write access to your pods.

If you are not a pod author, you do not need to do anything.

evasec.io are still in the process of writing up the full technical details of how the exploits worked, so I'll both update this post with links to their write-ups when they are ready, as well as do a new blog post with the details at a higher level to describe how they work to folks who are not intimate with server architectures.

Read on →

CocoaPods Web Hosting now Sponsored by Emerge Tools

I'm very happy to announce that Emerge Tools is now sponsoring the web hosting costs of CocoaPods!

We're super thankful that Emerge is stepping in to help us out with this. CocoaPods.org, Trunk, and all the other websites we maintain are a critical part of the CocoaPods ecosystem, and we're glad to have Emerge's support to keep them running.

Read on →

1.11 Arrives!

CocoaPods 1.11 raises the minimum Ruby version to 2.6 while adding support for Ruby 3.0. It also adds support for 'On Demand Resources' and contains numerous bug fixes and improvements!

Read on →

CocoaPods Trunk: Remote Code Execution found

Part of the server-side validation for uploading a new CocoaPod to the central repository of Podspecs (trunk) could be exploited to execute arbitrary shell commands on the trunk server.

We were contacted via Max Justicz this morning who provided us with a great technical write-up and showed how to trigger it for ourselves. The exploit is a combination of un-sanitized user input getting through to a git call param which can be used to send remote payloads.

Being able to execute arbitrary shell commands on the server gave a possible attacker the ability to read the environment variables, which could be used to write to the CocoaPods/Specs repo and read the trunk database.

This means you will need to log in again to trunk again to deploy any new Podspecs. If you have automated deployment to CocoaPods working right now, this will break, and you will need to pod trunk register again and replace your COCOAPODS_TRUNK_TOKEN. We're sorry, I know that sucks, but it also guarantees that you are the only person with write access to your pods.

If you are not a pod author, you do not need to do anything.

Read on →

1.10 Beta Begins!

CocoaPods 1.10 drops support for Ruby 2.0, adds support for Ruby 2.7 and adds initial support for Xcode 12 as well as a revamped XCFramework integration process!

Read on →

CocoaPods 1.9 Beta has arrived!

CocoaPods 1.9 adds support for XCFrameworks, configuration-based dependencies for pod authors, code coverage in generated schemes, and other enhancements and bug fixes!

Read on →

CocoaPods 1.7.0 Beta!

CocoaPods 1.7.0 expands heavily on the improved underlying infrastructure of prior releases with support for multiple Swift versions, app specs and more!

Read on →