Description
pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.
Published: 2026-06-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pnpm, the package manager, contains a flaw in versions 11.3.0 through 11.5.3 where the stage download command derives a local filename from registry‑controlled package name and version. A crafted package manifest can cause the download process to escape the intended directory and overwrite any reachable file. The fix validates the fields, derives a safe filename, and verifies the destination before writing.

Affected Systems

Users of pnpm version 11.3.0 up to and including 11.5.3 are affected. The vulnerability applies to the pnpm package manager. Versions 11.5.3 and newer contain the fix that validates package name and version and prevents directory traversal during stage download.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. No EPSS score is reported, and it is not listed in the CISA KEV catalog. The likely attack vector involves supplying a malicious package manifest through an untrusted or compromised registry, or delivering a crafted package to the pnpm install process. Exploitation requires the pnpm process to be running with the permissions of the user performing the install; the attacker can then cause pnpm to write beyond its intended download directory and overwrite arbitrary files on the local filesystem.

Generated by OpenCVE AI on June 25, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to 11.5.3 or later.
  • Avoid using untrusted or compromised registries; verify package provenance before installation.
  • If an upgrade is not immediately possible, run pnpm installs in a restricted, isolated environment and monitor the file system for unexpected writes.

Generated by OpenCVE AI on June 25, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v23m-ccfg-pq9h pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.
Title pnpm: stage download writes outside destination via manifest version traversal
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:16:35.788Z

Reserved: 2026-06-17T00:13:10.651Z

Link: CVE-2026-55700

cve-icon Vulnrichment

Updated: 2026-06-25T18:16:26.535Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T16:47:21Z

Links: CVE-2026-55700 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-73

    External Control of File Name or Path