Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.
Published: 2026-01-26
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file permission changes via path traversal
Action: Immediate Patch
AI Analysis

Impact

pnpm, before version 10.28.2, processes a package’s directories.bin field without validating that the resolved path remains inside the package root. A malicious npm package can set directories.bin to a value such as "../../../../tmp", causing pnpm to use path.join() to build a path that points outside the package. The resulting path is then chmod‑ed to 755, giving the attacker the ability to modify the permissions of any file the pnpm process can reach, potentially granting elevated privileges or enabling other subsequent attacks.

Affected Systems

The vulnerability affects the pnpm package manager on Unix‑like operating systems—Linux, macOS, and other Unix variants—when installed at any version earlier than 10.28.2. Windows is not impacted because the potential exploit path is guarded by the EXECUTABLE_SHEBANG_SUPPORTED condition. Anyone using pnpm to install packages from untrusted registries or local sources is at risk.

Risk and Exploitability

The vulnerability received a CVSS score of 6.7, indicating moderate severity. However, the EPSS score is reported as < 1%, so the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious package; once delivered, the attack can be carried out locally by the user running pnpm, allowing changes to arbitrary file permissions under that user’s filesystem scope.

Generated by OpenCVE AI on April 18, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.28.2 or later to receive the path validation patch.
  • If an immediate upgrade is not possible, avoid installing or running untrusted npm packages and consider using pnpm’s --no-bin-links flag to skip binary creation.
  • Run pnpm under a user account with the least required privileges and limit its file system access so that even if a path traversal occurs, the scope of affected files is constrained.

Generated by OpenCVE AI on April 18, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v253-rj99-jwpq pnpm has Path Traversal via arbitrary file permission modification
History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.
Title pnpm has Path Traversal via arbitrary file permission modification
Weaknesses CWE-22
CWE-732
References
Metrics cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pnpm Pnpm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T21:37:51.868Z

Reserved: 2026-01-21T18:38:22.474Z

Link: CVE-2026-24131

cve-icon Vulnrichment

Updated: 2026-01-27T21:37:44.487Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T22:15:56.830

Modified: 2026-01-28T17:05:46.967

Link: CVE-2026-24131

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-26T22:03:33Z

Links: CVE-2026-24131 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses