CVE-2026-24131

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943	Patch
https://github.com/pnpm/pnpm/releases/tag/v10.28.2	Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

History

17 Jun 2026, 10:22

Type	Values Removed	Values Added
Summary		(es) pnpm es un gestor de paquetes. Antes de la versión 10.28.2, cuando pnpm procesa el campo 'directories.bin' de un paquete, utiliza 'path.join()' sin validar que el resultado permanezca dentro de la raíz del paquete. Un paquete npm malicioso puede especificar "directories": {"bin": "../../../../tmp"} para escapar del directorio del paquete, haciendo que pnpm aplique chmod 755 a archivos en ubicaciones arbitrarias. Este problema solo afecta a Unix/Linux/macOS. Windows no se ve afectado ('fixBin' está restringido por 'EXECUTABLE_SHEBANG_SUPPORTED'). La versión 10.28.2 contiene un parche.

28 Jan 2026, 17:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pnpm:pnpm::::::node.js::*
First Time		Pnpm pnpm Pnpm
References	~~() https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 -~~	() https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 - Patch
References	~~() https://github.com/pnpm/pnpm/releases/tag/v10.28.2 -~~	() https://github.com/pnpm/pnpm/releases/tag/v10.28.2 - Release Notes
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq -~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

26 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 22:15

Updated : 2026-06-17 10:22

NVD link : CVE-2026-24131

Mitre link : CVE-2026-24131

CVE.ORG link : CVE-2026-24131

JSON object : View

Products Affected

pnpm

pnpm

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-732

Incorrect Permission Assignment for Critical Resource

5.5 /10