Main Vulnerability Database Vulnerabilities #VU128183

Path traversal in pnpm - CVE-2026-23889

Published: April 27, 2026

Vulnerability identifier: #VU128183

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-23889

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: pnpm

Affected software:
pnpm

Detailed vulnerability description

The vulnerability allows a remote attacker to write arbitrary files outside the package directory.

The vulnerability exists due to path traversal in tarball extraction in store/cafs/src/parseTarball.ts when processing a crafted tarball on Windows. A remote attacker can supply a specially crafted package tarball with backslash-based traversal sequences to write arbitrary files outside the package directory.

User interaction is required to install the crafted package, and the issue is specific to Windows systems where backslashes are treated as directory separators.

How to mitigate CVE-2026-23889

Install security update from vendor's website.

Sources

https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p

Path traversal in pnpm - CVE-2026-23889

Detailed vulnerability description

How to mitigate CVE-2026-23889

Sources

Please verify you're human