pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.
References
| Link | Resource |
|---|---|
| https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f | Patch |
| https://github.com/pnpm/pnpm/releases/tag/v10.28.2 | Release Notes |
| https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw | Vendor Advisory Exploit |
Configurations
History
28 Jan 2026, 17:27
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* | |
| First Time |
Pnpm pnpm
Pnpm |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f - Patch | |
| References | () https://github.com/pnpm/pnpm/releases/tag/v10.28.2 - Release Notes | |
| References | () https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw - Vendor Advisory, Exploit |
26 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-26 22:15
Updated : 2026-01-28 17:27
NVD link : CVE-2026-24056
Mitre link : CVE-2026-24056
CVE.ORG link : CVE-2026-24056
JSON object : View
Products Affected
pnpm
- pnpm