CVE-2026-23889

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1

Description A path traversal flaw exists in pnpm's tarball extraction process on Windows systems. The vulnerability stems from incomplete path normalization, specifically failing to account for . in addition to ./ when validating file paths. This allows malicious packages to write files outside of their intended package directory by leveraging backslashes as directory separators, which are recognized by Windows. A proof-of-concept demonstrates the ability to overwrite files such as .npmrc and build configurations. This issue specifically impacts Windows pnpm users and Windows CI/CD pipelines, including GitHub Actions Windows runners and Azure DevOps. The vulnerability is located in the path normalization logic within store/cafs/src/parseTarball.ts and the platform-dependent behavior in fs/indexed-pkg-importer/src/importIndexedDir.ts.

Recommendations Versions prior to 10.28.1 should be updated to version 10.28.1 or later.