Summary PDM automatically loads project-local plugin paths from ".pdm-plugins" during "Core" initialization. Because this path is added via "site.addsitedir()", attacker-controlled ".pth" files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins. This allows arbitrary code execution with the privileges of the user running "pdm" from an untrusted repository checkout. Affected Behavior - Trigger does not require "pdm install --plugins" - A low-impact command such as "pdm --version" is sufficient - Impact is strongest in CI, privileged shells, and automation contexts Affected Code - "src/pdm/core.py:74-82" - "src/pdm/core.py:310-333" - "src/pdm/core.py:335-352" Technical Details "Core.init()" calls "load_plugins()" before ordinary command execution. "load_plugins()" calls "_add_project_plugins_library()", which derives the project-local ".pdm-plugins" library path and adds it through "site.addsitedir()". On CPython, "site.addsitedir()" processes ".pth" files found in the added directory. ".pth" lines beginning with "import " are executed immediately. This creates a trust-boundary break: project-controlled files execute before the user explicitly opts into plugin installation or plugin loading. Impact - Arbitrary code execution as the invoking user - Potential credential theft, persistence, or workspace tampering - Potential privilege escalation when "pdm" is run via "sudo", root-owned CI jobs, or privileged service accounts Reproduction PoC: Replace this with a Python interpreter that can run "python -m pdm". PDM_PY=/path/to/python-with-pdm tmpdir=$(mktemp -d) cat > "$tmpdir/pyproject.toml" <<'EOF' [project] name = "plugin-autoload-demo" version = "0.0.1" EOF purelib=$(TMPDIR_ROOT="$tmpdir/.pdm-plugins" "$PDM_PY" - <<'PY' import os import sys import sysconfig base = os.environ["TMPDIR_ROOT"] scheme_names = sysconfig.get_scheme_names() if (sys.platform == "darwin" and "osx_framework_library" in scheme_names) or sys.platform == "linux": scheme = "posix_prefix" elif sys.version_info < (3, 10): scheme = "nt" if os.name == "nt" else "posix_prefix" else: scheme = sysconfig.get_default_scheme() replace_vars = {"base": base, "platbase": base} print(sysconfig.get_path("purelib", scheme, replace_vars)) PY ) mkdir -p "$purelib" marker="$tmpdir/plugin-autoload-marker.txt" printf '%s\n' "import pathlib; pathlib.Path(r'$marker').write_text('project plugin autoload executed', encoding='utf-8')" > "$purelib/evil.pth" ( cd "$tmpdir" && "$PDM_PY" -m pdm --version ) cat "$marker" Expected result: - A temporary project is created - An "evil.pth" file is placed under ".pdm-plugins" - Running "pdm --version" creates a marker file before CLI exit Observed output from local validation: PDM, version 2.26.9 --- marker --- project plugin autoload executed Severity High CVSS v4.0 - Base score: "8.4" ("High") - Vector: "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" Rationale: - "AV:L": exploitation occurs through local execution of "pdm" against attacker-controlled repository content - "AC:L": no special bypass or race is required - "AT:N": no external precondition beyond the vulnerable workflow is required - "PR:N": the attacker does not need privileges on the victim host - "UI:A": the victim must actively run a "pdm" command in the malicious checkout - "VC:H/VI:H/VA:H": successful exploitation yields arbitrary code execution as the invoking user - "SC:N/SI:N/SA:N": the score is kept to same-system impact only Root Cause Project-local plugin paths are implicitly trusted and loaded too early, and ".pth" processing is inherited from "site.addsitedir()". Recommended Remediation - Do not auto-load project-local ".pdm-plugins" by default - Avoid "site.addsitedir()" for project-controlled plugin paths - If project plugins must be supported, require explicit opt-in such as "--enable-project-plugins" - Explicitly prevent ".pth" execution when loading project plugin paths Disclosure Notes This issue is a strong standalone CVE candidate because it yields direct code execution from repository-controlled files without requiring the victim to run a project script explicitly.