Description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in pnpm versions prior to 10.34.2 and 11.5.3. It occurs when a malicious global package contains reserved bin names such as "." or "..". The bin-name guard is bypassed for these keys, and during later global remove, update, or add-replacement flows pnpm reconstructs the bin names from the installed manifest and passes a path that can target the global bin directory or its parent. When resolved with path.join, the operation deletes the target directory, potentially wiping out the entire PNPM_HOME environment and all globally installed packages. The weakness falls under CWE-22 (Path Traversal) and CWE-73 (Path Manipulation).

Affected Systems

The affected product is the pnpm package manager. Users of pnpm running any version older than 10.34.2 on the 10.x line or older than 11.5.3 on the 11.x line are vulnerable. The issue is limited to the global installation context for npm packages.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a malicious package to be installed globally, so the attack vector is local. An attacker with permission to install or modify packages can cause accidental deletion of critical directories, resulting in data loss or service disruption. The risk level is moderate, but the impact can be significant for users who rely on global pnpm installations.

Generated by OpenCVE AI on June 25, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.34.2 or later (or 11.5.3).
  • Avoid installing packages that declare "." or ".." as bin names and review the package.json of any global packages before installation.
  • Run global pnpm commands under a non‑privileged user to limit the scope of any accidental deletion.

Generated by OpenCVE AI on June 25, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.
Title pnpm: reserved bin name deletes PNPM_HOME during global remove
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Pnpm Pnpm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T17:54:16.980Z

Reserved: 2026-06-17T00:13:10.651Z

Link: CVE-2026-55699

cve-icon Vulnrichment

Updated: 2026-06-25T17:54:06.236Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-73

    External Control of File Name or Path