SB20260427152 - Multiple vulnerabilities in pnpm

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2026-24131)

The vulnerability allows a remote attacker to modify file permissions for arbitrary files.

The vulnerability exists due to path traversal in pkg-manager/package-bins/src/index.ts when processing a package's directories.bin field. A remote attacker can supply a specially crafted package to modify file permissions for arbitrary files.

Only Unix, Linux, and macOS systems are affected. Dotfiles are excluded by the default tinyglobby behavior.

2) Link following (CVE-ID: CVE-2026-24056)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in store/cafs/src/addFilesFromDir.ts when installing file: or git dependencies. A remote attacker can provide a specially crafted package containing a symlink to an absolute path to disclose sensitive information.

Only file: and git dependencies are affected; registry packages are not affected. The issue can cause local files to be copied into node_modules. User interaction is required to install the crafted dependency.

Remediation

Install update from vendor's website.

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
• https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw