Impact
pnpm, a popular JavaScript package manager, contains a flaw that allows a transitive dependency alias in registry metadata to include path traversal segments. When pnpm resolves and links dependencies it interprets the alias as a filesystem path, enabling the attacker–controlled package to deploy symlinks that replace existing project files. The result is that critical files can be overridden with malicious content, creating a path for injection or code execution. This weakness is classified as CWE‑22 and CWE‑23, both of which address path traversal vulnerabilities.
Affected Systems
The vulnerability affects the pnpm package manager itself. Versions prior to 10.34.0 and 11.4.0 are susceptible. Users who rely on older pnpm releases in any Node.js project are at risk.
Risk and Exploitability
The flaw carries a CVSS score of 8.8. An EPSS score of < 1% indicates a very low exploitation probability, but the lack of a CISA KEV listing does not reduce the importance of remediation; the vulnerability is relevant to supply chain attacks and could be exercised whenever a malicious or compromised package is fetched from a registry. Attackers likely need to craft a module that contains path traversal in an alias and then trigger a pnpm install using the --ignore-scripts flag, which allows the symlink replacement to occur. The vulnerability reflects both CWE‑22 and CWE‑23 path traversal weaknesses, enabling unauthorized file system modification. Because the issue is resolved in released versions, the focus is on patching to eliminate exposure.
OpenCVE Enrichment
Github GHSA