Symlink Vulnerability in pnpm Package Manager
CVE-2026-24056

6.7MEDIUM

Key Information:

Vendor

Pnpm

Status
Pnpm
Vendor
CVE Published:
26 January 2026

What is CVE-2026-24056?

The pnpm package manager has a vulnerability that allows it to follow symlinks leading to absolute paths when installing 'file:' or 'git:' dependencies. If a malicious package is introduced containing a symlink, it can inadvertently expose sensitive local files, such as user credentials or SSH keys, into the 'node_modules' directory. This risk is particularly alarming for developers and CI/CD pipelines, as it opens the door to credential theft and data leaks. The issue has been addressed in version 10.28.2, which is a crucial update for users relying on pnpm for dependency management.

Affected Version(s)

pnpm < 10.28.2

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-m73...
x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7...
x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.2
x_refsource_MISC

CVSS V4

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.