Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.
Published: 2026-06-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pnpm, a popular JavaScript package manager, contains a flaw that allows a transitive dependency alias in registry metadata to include path traversal segments. When pnpm resolves and links dependencies it interprets the alias as a filesystem path, enabling the attacker–controlled package to deploy symlinks that replace existing project files. The result is that critical files can be overridden with malicious content, creating a path for injection or code execution. This weakness is classified as CWE‑22 and CWE‑23, both of which address path traversal vulnerabilities.

Affected Systems

The vulnerability affects the pnpm package manager itself. Versions prior to 10.34.0 and 11.4.0 are susceptible. Users who rely on older pnpm releases in any Node.js project are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 8.8. An EPSS score of < 1% indicates a very low exploitation probability, but the lack of a CISA KEV listing does not reduce the importance of remediation; the vulnerability is relevant to supply chain attacks and could be exercised whenever a malicious or compromised package is fetched from a registry. Attackers likely need to craft a module that contains path traversal in an alias and then trigger a pnpm install using the --ignore-scripts flag, which allows the symlink replacement to occur. The vulnerability reflects both CWE‑22 and CWE‑23 path traversal weaknesses, enabling unauthorized file system modification. Because the issue is resolved in released versions, the focus is on patching to eliminate exposure.

Generated by OpenCVE AI on July 8, 2026 at 08:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to the latest version that includes the fix (10.34.0 or newer, or 11.4.0 or newer).
  • Reinstall dependencies using the updated pnpm, ensuring that the lockfile is regenerated and verified.
  • If an upgrade is not feasible, consider removing or sanitizing transitive dependencies that use alias paths or manually inspect lockfiles to detect unwanted path traversal before installation.

Generated by OpenCVE AI on July 8, 2026 at 08:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hwx4-2j3j-g496 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
History

Tue, 07 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.
Title pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:56:20.337Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50016

cve-icon Vulnrichment

Updated: 2026-06-25T18:04:30.548Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T16:53:16Z

Links: CVE-2026-50016 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T08:45:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-23

    Relative Path Traversal