Impact
pnpm, the package manager, contains a flaw in versions 11.3.0 through 11.5.3 where the stage download command derives a local filename from registry‑controlled package name and version. A crafted package manifest can cause the download process to escape the intended directory and overwrite any reachable file. The fix validates the fields, derives a safe filename, and verifies the destination before writing.
Affected Systems
Users of pnpm version 11.3.0 up to and including 11.5.3 are affected. The vulnerability applies to the pnpm package manager. Versions 11.5.3 and newer contain the fix that validates package name and version and prevents directory traversal during stage download.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity vulnerability. No EPSS score is reported, and it is not listed in the CISA KEV catalog. The likely attack vector involves supplying a malicious package manifest through an untrusted or compromised registry, or delivering a crafted package to the pnpm install process. Exploitation requires the pnpm process to be running with the permissions of the user performing the install; the attacker can then cause pnpm to write beyond its intended download directory and overwrite arbitrary files on the local filesystem.
OpenCVE Enrichment
Github GHSA