CVE-2026-23888

CVE-2026-23888

Name

CVE-2026-23888

Description

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
security-advisories@github.com	https://github.com/pnpm/pnpm/releases/tag/v10.28.1
security-advisories@github.com	https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868

Type

URI

security-advisories@github.com

https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5

security-advisories@github.com

https://github.com/pnpm/pnpm/releases/tag/v10.28.1

security-advisories@github.com

https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:pnpm:pnpm::::::node.js::*`	pnpm	>= None	< 10.28.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

pnpm

>= None

< 10.28.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
pnpm	edge-community	10.28.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.26.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.26.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.25.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.24.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.23.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.22.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.18.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.18.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.17.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.17.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.15.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.13.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.4-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.11.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.9.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.8.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.7.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.7.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.5-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.5.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.5.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.4.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.1.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.14.4-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	3.23-community	10.24.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages