CVE-2026-24056

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f	Patch
https://github.com/pnpm/pnpm/releases/tag/v10.28.2	Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

History

17 Jun 2026, 10:22

Type	Values Removed	Values Added
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw - Vendor Advisory, Exploit~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw - Exploit, Vendor Advisory
Summary		(es) pnpm es un gestor de paquetes. Antes de la versión 10.28.2, cuando pnpm instala una dependencia 'file:' (directorio) o 'git:', sigue los enlaces simbólicos y lee el contenido de sus destinos sin restringirlos a la raíz del paquete. Un paquete malicioso que contiene un enlace simbólico a una ruta absoluta (por ejemplo, '/etc /passwd', '~/.ssh/id_rsa') hace que pnpm copie el contenido de ese archivo en 'node_modules', filtrando datos locales. La vulnerabilidad solo afecta a las dependencias 'file:' y 'git:'. Los paquetes de registro (npm) tienen los enlaces simbólicos eliminados durante la publicación y NO se ven afectados. El problema afecta a los desarrolladores que instalan dependencias locales/de archivo y a las tuberías de CI/CD que instalan dependencias de git. Puede conducir al robo de credenciales a través de enlaces simbólicos a '~/.aws/credentials', '~/.npmrc', '~/.ssh/id_rsa'. La versión 10.28.2 contiene un parche.

28 Jan 2026, 17:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pnpm:pnpm::::::node.js::*
First Time		Pnpm pnpm Pnpm
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f -~~	() https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f - Patch
References	~~() https://github.com/pnpm/pnpm/releases/tag/v10.28.2 -~~	() https://github.com/pnpm/pnpm/releases/tag/v10.28.2 - Release Notes
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw -~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw - Vendor Advisory, Exploit

26 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 22:15

Updated : 2026-06-17 10:22

NVD link : CVE-2026-24056

Mitre link : CVE-2026-24056

CVE.ORG link : CVE-2026-24056

JSON object : View

Products Affected

pnpm

pnpm

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')

6.5 /10