Home CocoaPods CVE-2024-38366
Back to CocoaPods

CVE-2024-38366

CocoaPods - Trunk Server

CocoaPods CVSS 10 Updated April 6, 2026

Executive Risk Summary

"A remote code execution vulnerability was discovered in the CocoaPods Trunk server, allowing an attacker to execute system commands and gain root access. This vulnerability was patched server-side in September 2023, and a full user-session reset was triggered as a precautionary measure."

Anticipated Attack Path

  1. 1. Initial exploitation of the RCE vulnerability
  2. 2. Execution of system commands to gain root access
  3. 3. Potential modification of Podspec files to compromise dependent projects

Am I Vulnerable?

  • Verify that the CocoaPods Trunk server has been updated with the latest patch
  • Monitor for suspicious activity on the Trunk server
  • Review and validate Podspec files for any potential modifications

Operational Audit Arsenal

Target Type Service
Target Asset trunk.cocoapods.org
Standard Path CocoaPods Trunk Server

Manual Verification Required

This is a non-Windows asset (CocoaPods). Use the target asset details and official path provided above to verify your current version against the official vendor advisories listed below.

Patch Impact Forecast

Reboot Required Unlikely

Minimal, as the patch was applied server-side

Internal Work Notes

CocoaPods Trunk server RCE vulnerability - patched and user sessions reset

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttps://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
Official Advisoryhttps://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#2-remote-code-execution-on-the-cocoapods-trunk-server
Official Advisoryhttps://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-x2x4-g675-qg7c
Official Advisoryhttps://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
Official Advisoryhttps://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#2-remote-code-execution-on-the-cocoapods-trunk-server
Official Advisoryhttps://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-x2x4-g675-qg7c
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.