CVE-2026-23888

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1

Description pnpm, a package manager, contains a flaw in its binary fetcher that permits malicious packages to write files outside the designated extraction directory. This issue arises from two attack vectors: malicious ZIP entries utilizing ../ or absolute paths to bypass the extraction root through AdmZip's extractAllTo function, and the lack of validation when concatenating the BinaryResolution.prefix field into the extraction path, enabling crafted prefixes like ../../evil to redirect files. The vulnerability affects users installing packages with binary assets, those configuring custom Node.js binary locations, and CI/CD pipelines automatically installing binary dependencies. Exploitation can result in overwriting configuration files, scripts, and other sensitive data, potentially leading to Remote Code Execution (RCE).

Recommendations Update pnpm to version 10.28.1 or later.