Pnpm
Monthly
pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.
pnpm versions prior to 10.28.2 fail to properly constrain symlink resolution when installing file: and git: dependencies, allowing malicious packages to copy sensitive files from the host system into node_modules and leak credentials. This affects developers using local file dependencies and CI/CD pipelines installing git-based packages, with public exploit code available. The vulnerability enables theft of credentials from locations like ~/.ssh/id_rsa and ~/.npmrc by exploiting symlinks to absolute paths outside the package root.
Pnpm versions up to 10.28.1 contains a vulnerability that allows attackers to overwriting config files, scripts, or other sensitive files (CVSS 6.5).
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.
Path traversal in pnpm's binary fetcher (versions prior to 10.28.1) allows attackers to write files outside the intended extraction directory through malicious ZIP entries or crafted prefix values, potentially overwriting critical configuration files and scripts on affected systems. All pnpm users installing packages with binary assets are vulnerable, particularly those in CI/CD pipelines or with custom Node.js binary configurations. Public exploit code exists for this medium-severity vulnerability.
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. [CVSS 7.5 HIGH]
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. [CVSS 7.5 HIGH]
pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.
pnpm versions prior to 10.28.2 fail to properly constrain symlink resolution when installing file: and git: dependencies, allowing malicious packages to copy sensitive files from the host system into node_modules and leak credentials. This affects developers using local file dependencies and CI/CD pipelines installing git-based packages, with public exploit code available. The vulnerability enables theft of credentials from locations like ~/.ssh/id_rsa and ~/.npmrc by exploiting symlinks to absolute paths outside the package root.
Pnpm versions up to 10.28.1 contains a vulnerability that allows attackers to overwriting config files, scripts, or other sensitive files (CVSS 6.5).
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.
Path traversal in pnpm's binary fetcher (versions prior to 10.28.1) allows attackers to write files outside the intended extraction directory through malicious ZIP entries or crafted prefix values, potentially overwriting critical configuration files and scripts on affected systems. All pnpm users installing packages with binary assets are vulnerable, particularly those in CI/CD pipelines or with custom Node.js binary configurations. Public exploit code exists for this medium-severity vulnerability.
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. [CVSS 7.5 HIGH]
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. [CVSS 7.5 HIGH]
pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.