What Happened
PDM automatically loads project-local plugin paths from `.pdm-plugins` during `Core` initialization, allowing attacker-controlled `.pth` files to execute Python code before normal CLI handling begins.
Who Is Affected
Users running `pdm` from an untrusted repository checkout are affected. The impact is strongest in CI, privileged shells, and automation contexts.
Severity & Impact
The vulnerability has a CVSS score of 8.4, indicating high severity. Successful exploitation yields arbitrary code execution as the invoking user, potentially leading to credential theft, persistence, or workspace tampering.
Mitigation
To mitigate this vulnerability, do not auto-load project-local `.pdm-plugins` by default, avoid `site.addsitedir()` for project-controlled plugin paths, require explicit opt-in for project plugins, and prevent `.pth` execution when loading project plugin paths.