CVE-2026-24131

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.2

Description pnpm, a package manager, is susceptible to a file permission issue when processing the directories.bin field within a package. A malicious npm package can manipulate this field, specifically by using paths like "directories": {"bin": "../../../../tmp"} to bypass package directory restrictions. This allows pnpm to execute chmod 755 on files located in arbitrary directories. The issue is limited to Unix/Linux/macOS systems, as Windows is not affected due to the fixBin functionality being gated by EXECUTABLE SHEBANG SUPPORTED. The vulnerable code resides in pkg-manager/package-bins/src/index.ts lines 15-21, where path.join() is used without validating that the resulting path remains within the package root. The bin field is protected by isSubdir(), but directories.bin lacks this check. A proof-of-concept demonstrates how a malicious package can alter the permissions of a sensitive file, changing them from 600 to 755, making it world-readable. This could lead to supply-chain attacks via npm packages.

Recommendations Update to pnpm version 10.28.2 or later.