Path Traversal Vulnerability in pnpm by Zoka
CVE-2026-23888

6.5MEDIUM

Key Information:

Vendor

Pnpm

Status
Pnpm
Vendor
CVE Published:
26 January 2026

What is CVE-2026-23888?

A path traversal vulnerability in pnpm prior to version 10.28.1 can allow malicious packages to write files outside their intended extraction directory. Attackers can exploit this vulnerability through manipulated ZIP entries that contain ../ or absolute paths, escaping the root directory during file extraction. Additionally, the BinaryResolution.prefix field can be leveraged to concatenate crafted prefixes like ../../evil, redirecting extracted files outside the designated target directory. This puts users who install packages with binary assets, customize Node.js binary locations, or utilize CI/CD pipelines at risk, potentially leading to the overwriting of critical configuration files, scripts, or other sensitive information.

Affected Version(s)

pnpm < 10.28.1

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-6pf...
x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b9...
x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.