Path Traversal and Arbitrary File Creation in pnpm Package Manager by PNPM Inc.
CVE-2026-55699

6.5MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55699?

The pnpm package manager is susceptible to a path traversal vulnerability due to improper handling of bin object keys in its manifest. Specifically, prior to versions 10.34.2 and 11.5.3, keys such as '', '.', and '..' could bypass pnpm's bin-name guard when a malicious package was globally installed. Consequently, during operations like global removal or updates, these problematic paths could be re-derived from the manifest, potentially leading to arbitrary file creation in unintended directories, including the global bin directory and its parent. This vulnerability highlights the importance of strict input validation and proper sanitization processes in package management to prevent exploitation.

Affected Version(s)

pnpm < 10.34.2 < 10.34.2

pnpm >= 11.0.0, < 11.5.3 < 11.0.0, 11.5.3

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-4gx...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-55699 Data

JSON

Pnpm

What is CVE-2026-55699?

Affected Version(s)

References

CVSS V3.1

Timeline