Directory Traversal Vulnerability in pnpm Package Manager
CVE-2026-24131

6.7MEDIUM

Key Information:

Vendor

Pnpm

Status
Pnpm
Vendor
CVE Published:
26 January 2026

What is CVE-2026-24131?

The pnpm package manager, prior to version 10.28.2, is susceptible to a directory traversal vulnerability due to the improper use of 'path.join()' when processing the directories.bin field. This flaw allows a malicious npm package to manipulate the 'directories' property to escape the package directory by specifying paths like '../../../../tmp', potentially enabling unauthorized access and modification of files at arbitrary locations within the system. This issue predominantly affects Unix, Linux, and macOS environments, while Windows users remain unaffected due to environmental constraints related to executable file handling. Mitigation is provided in version 10.28.2, which contains critical patches addressing these vulnerabilities.

Affected Version(s)

pnpm < 10.28.2

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-v25...
x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255...
x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.2
x_refsource_MISC

CVSS V4

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.