Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.
AnalysisAI
Arbitrary out-of-tree file/symlink write via path traversal in pnpm before 10.34.4 and 11.8.0 allows a malicious repository to escape node_modules/.pnpm-config by committing a crafted pnpm-lock.yaml whose env-lockfile configDependencies section carries a traversal-shaped package name. When a victim runs pnpm install, pnpm trusts that attacker-controlled name and creates a config-dependency symlink at the derived path, letting an attacker place symlinks outside the intended directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Identify all pnpm installations and current versions across development environments and CI/CD pipelines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co
pnpm is a package manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentica
Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans
Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository
Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ
Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unex
Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac
{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril
Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m
Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41883