CVE-2026-23890

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1

Description pnpm is susceptible to a path traversal issue in its bin linking mechanism. Malicious npm packages can exploit this to create executable shims or symlinks outside of the node modules/.bin directory. The vulnerability arises because bin names starting with @ bypass validation, and path traversal sequences like ../../ are not fully removed during normalization. This allows attackers to potentially overwrite configuration files, scripts, or other sensitive files. The issue affects all pnpm users who install npm packages, as well as CI/CD pipelines utilizing pnpm. The vulnerability exists in the bin name validation and normalization logic within the pkg-manager/package-bins/src/index.ts and pkg-manager/link-bins/src/index.ts files. Specifically, the filter allows any bin name starting with @ to pass through without validation. The normalizeBinName function does not completely remove path traversal sequences. The normalized name is then used directly in path.join() without further validation. A proof-of-concept (PoC) demonstrates the creation of a malicious package with a bin entry like @scope/../../.npmrc, which, when installed, results in the creation of the .npmrc file in the project root outside of the expected node modules/.bin directory.

Recommendations Update pnpm to version 10.28.1 or later.