SB20260427153 - Multiple vulnerabilities in pnpm
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-23888)
The vulnerability allows a remote attacker to write arbitrary files outside the intended extraction directory.
The vulnerability exists due to path traversal in pnpm binary fetcher when extracting binary ZIP archives or processing a crafted BinaryResolution.prefix value. A remote attacker can supply a specially crafted ZIP archive or prefix value to write arbitrary files outside the intended extraction directory.
User interaction is required to install a malicious package or otherwise process the crafted binary archive.
2) Path traversal (CVE-ID: CVE-2026-23889)
The vulnerability allows a remote attacker to write arbitrary files outside the package directory.
The vulnerability exists due to path traversal in tarball extraction in store/cafs/src/parseTarball.ts when processing a crafted tarball on Windows. A remote attacker can supply a specially crafted package tarball with backslash-based traversal sequences to write arbitrary files outside the package directory.
User interaction is required to install the crafted package, and the issue is specific to Windows systems where backslashes are treated as directory separators.
3) Path traversal (CVE-ID: CVE-2026-23890)
The vulnerability allows a remote attacker to create arbitrary files outside node_modules/.bin.
The vulnerability exists due to path traversal in pkg-manager/package-bins and pkg-manager/link-bins when processing crafted scoped bin names from an installed package. A remote attacker can supply a malicious npm package with a specially crafted bin name to create arbitrary files outside node_modules/.bin.
User interaction is required to install the malicious package.
Remediation
Install update from vendor's website.