CVE-2026-24131

Name
CVE-2026-24131
Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
security-advisories@github.com https://github.com/pnpm/pnpm/releases/tag/v10.28.2
security-advisories@github.com https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:* pnpm >= None < 10.28.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
pnpm edge-community 10.28.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.26.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.26.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.25.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.24.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.23.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.22.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.18.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.18.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.17.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.17.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.15.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.13.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.4-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.12.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.11.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.9.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.8.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.7.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.7.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.5-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.6.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.5.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.5.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.4.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 10.1.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.3-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.2-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.1-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.15.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm edge-community 9.14.4-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable
pnpm 3.23-community 10.24.0-r0 Fabricio Silva <hi@fabricio.dev> possibly vulnerable