Critical CocoaPods vulnerabilities patched after 10 years, affecting iOS and macOS users

Multiple vulnerabilities were uncovered in CocoaPods, an open-source repository for Swift (programming language) and Objective-C, putting millions of iOS and macOS apps at risk for nearly a decade. EVA Information Security reported that these issues have been patched as of October, with no known exploits identified in any apps.

Ars Technica detailed three primary vulnerabilities affecting CocoaPods' developer login processes for managing code packages. CVE-2024-38367 involved manipulation of verification links, CVE-2024-38368 allowed control over abandoned pods, and CVE-2024-38366 enabled arbitrary code execution on a trunk server. These flaws could potentially let attackers manipulate pods and access sensitive user information.

CocoaPods maintainer Orta Therox highlighted that the vulnerabilities could enable attackers to read environment variables, write to the CocoaPods/Specs repository, and access the trunk database. Developers are urged to synchronize their podfile.lock files, perform CRC validation for internally developed pods, and review third-party code thoroughly. Regular security scans should be conducted to detect secrets and malicious code. The patches have been implemented, and old session keys have been wiped, so developers should update their devices and apps to incorporate these fixes.