CVE-2026-24056

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.2

Description pnpm, a package manager, is affected by an issue where installing a file: or git: dependency allows it to follow symlinks and read their target contents without restricting them to the package root. A malicious package containing a symlink to an absolute path, such as /etc/passwd or ~/.ssh/id rsa, can cause pnpm to copy the contents of that file into node modules, potentially leading to local data leakage. The issue specifically impacts developers installing local/file dependencies and CI/CD pipelines installing git dependencies. This can result in credential theft through symlinks pointing to files like ~/.aws/credentials, ~/.npmrc, and ~/.ssh/id rsa. The code in store/cafs/src/addFilesFromDir.ts uses fs.statSync() and readFileSync(), which by default follow symlinks, without verifying that the resolved path remains within the package directory. The vulnerable functions are fs.statSync() and readFileSync().

Recommendations Versions prior to 10.28.2 should be updated to version 10.28.2 or later.