CVE-2026-24056

CVE-2026-24056

Name

CVE-2026-24056

Description

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
security-advisories@github.com	https://github.com/pnpm/pnpm/releases/tag/v10.28.2
security-advisories@github.com	https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw

Type

URI

security-advisories@github.com

https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f

security-advisories@github.com

https://github.com/pnpm/pnpm/releases/tag/v10.28.2

security-advisories@github.com

https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:pnpm:pnpm::::::node.js::*`	pnpm	>= None	< 10.28.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*

pnpm

>= None

< 10.28.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
pnpm	edge-community	10.28.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.26.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.26.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.25.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.24.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.23.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.22.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.18.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.18.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.17.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.17.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.15.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.13.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.4-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.12.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.11.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.9.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.8.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.7.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.7.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.5-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.6.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.5.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.5.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.4.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	10.1.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.3-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.2-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.1-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.15.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	edge-community	9.14.4-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable
pnpm	3.23-community	10.24.0-r0	Fabricio Silva <hi@fabricio.dev>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages