Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Submitting a public PR needs no privileges on the victim (PR:N), but a maintainer must run install (UI:R); reliable traversal (AC:L) yields high integrity/availability impact and no confidentiality loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
AnalysisAI
Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contributor abuse the @pnpm/patch-package pipeline, which applies .patch files without validating the file paths in their diff --git headers. Because patch diff headers are opaque to most code reviewers, an attacker can slip ../../ traversal sequences into a pull request and, when a maintainer runs pnpm install, write attacker-controlled content to or delete arbitrary files with the privileges of the installing user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target project uses pnpm's patch feature (a `.patch` file referenced via `patchedDependencies` in `package.json`) and that a victim with filesystem write privileges runs `pnpm install` against the attacker's contributed patch - typically after accepting or checking out a malicious pull request. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially conflicting and should be read together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a pull request to a target repository that adds or modifies a `.patch` file referenced by `patchedDependencies`, with a `diff --git` header path containing `../../` that points at a sensitive file such as a CI script, SSH config, or shell profile. A maintainer reviews the PR, sees a plausible dependency patch, checks out the branch and runs `pnpm install`; pnpm applies the patch and writes attacker-controlled content to (or deletes) the out-of-tree target as the maintainer/CI user. … |
| Remediation | Upgrade pnpm to a fixed release - Vendor-released patch: 10.34.0 (10.x line) or 11.4.0 (11.x line) - as documented in advisory GHSA-rxhj-4m44-96r4 (https://github.com/pnpm/pnpm/security/advisories/GHSA-rxhj-4m44-96r4); pin the upgraded version in CI runners and developer environments since the trigger is `pnpm install`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all internal projects and CI/CD pipelines using pnpm; document current versions for each. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co
Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans
Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository
Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ
Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows
Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac
{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m
Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised
Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when
{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and cr
pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticati
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39492
GHSA-rxhj-4m44-96r4