Untrusted Search Path in PNPM Affects Windows Users
CVE-2022-26183

8.8HIGH

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 21 March 2022

What is CVE-2022-26183?

PNPM versions 6.15.1 and earlier have a vulnerability related to an untrusted search path, which can lead to unexpected behavior when executing commands in directories containing malicious files. This issue primarily affects users on the Windows operating system, potentially allowing attackers to execute arbitrary code or compromise system integrity when users inadvertently run PNPM commands in unsafe environments.

References

https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50...

https://github.com/pnpm/pnpm/releases/tag/v6.15.1

https://www.sonarsource.com/blog/securing-developer-tools...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2022
Vulnerability Reserved
Feb 28, 2022

CVE-2022-26183 Data

JSON

Pnpm

What is CVE-2022-26183?

References

CVSS V3.1

Timeline