Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
Published: 2026-06-25
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to write or delete arbitrary files during pnpm install, leading to potential compromise of the entire project repository. It manifests through path traversal in patch file headers that bypass file path validation, exposing the container or host filesystem to modification. This is a file system manipulation weakness classified as CWE-22.

Affected Systems

pnpm versions prior to 10.34.0 and 11.4.0 are affected. The vulnerability exists in the @pnpm/patch-package module used by pnpm, a popular JavaScript package manager. Users running pnpm install in a repository that accepts patches from pull requests are at risk if the package manager is not updated.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, but the EPSS score is not available, so the current probability of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog. The attack vector relies on a malicious patch file that is submitted via a pull request, making it likely that project maintainers can exploit the flaw by accepting a PR that contains a crafted .patch file. Because the path traversal in the diff header is opaque to most code reviews, an attacker can evade manual detection and immediately write or delete critical files during dependency installation.

Generated by OpenCVE AI on June 25, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to 10.34.0 or later, or to 11.4.0 or later, to apply the path validation fix
  • If an upgrade cannot be performed immediately, deny or reject pull requests that contain patch files, or manually review and sanitize patch headers to remove any '../../' sequences before application
  • Disable or remove the @pnpm/patch-package module from the project if patches are not required, ensuring that no unvalidated patch content can be applied

Generated by OpenCVE AI on June 25, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
Title pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T17:59:33.209Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50015

cve-icon Vulnrichment

Updated: 2026-06-25T17:59:29.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')