CVE-2026-23889

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0	Patch
https://github.com/pnpm/pnpm/releases/tag/v10.28.1	Patch
https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

17 Jun 2026, 10:22

Type	Values Removed	Values Added
Summary		(es) pnpm es un gestor de paquetes. Antes de la versión 10.28.1, una vulnerabilidad de salto de ruta en la extracción de tarball de pnpm permite a paquetes maliciosos escribir archivos fuera del directorio del paquete en Windows. La normalización de rutas solo verifica `./` pero no `.\`. En Windows, las barras invertidas son separadores de directorio, lo que permite el salto de ruta. Esta vulnerabilidad es solo para Windows. Este problema afecta a usuarios de pnpm en Windows y a las pipelines de CI/CD en Windows (ejecutores de GitHub Actions en Windows, Azure DevOps). Puede llevar a la sobrescritura de .npmrc, configuraciones de compilación u otros archivos. La versión 10.28.1 contiene un parche.

28 Jan 2026, 17:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pnpm:pnpm::::::node.js::* cpe:2.3:o:microsoft:windows:-:::::::*
First Time		Pnpm pnpm Microsoft windows Microsoft Pnpm
References	~~() https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 -~~	() https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 - Patch
References	~~() https://github.com/pnpm/pnpm/releases/tag/v10.28.1 -~~	() https://github.com/pnpm/pnpm/releases/tag/v10.28.1 - Patch
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p -~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p - Exploit, Vendor Advisory

26 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 22:15

Updated : 2026-06-17 10:22

NVD link : CVE-2026-23889

Mitre link : CVE-2026-23889

CVE.ORG link : CVE-2026-23889

JSON object : View

Products Affected

pnpm

pnpm

microsoft

windows

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

6.5 /10