Main Vulnerability Database Vulnerabilities #VU134555

Path traversal in pnpm - #VU134555

Published: June 15, 2026

Vulnerability identifier: #VU134555

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: pnpm

Affected software:
pnpm

Detailed vulnerability description

The vulnerability allows a remote attacker to overwrite files outside the selected download directory.

The vulnerability exists due to path traversal in pnpm stage download when deriving a local filename from registry-controlled package name and version fields. A remote attacker can supply a crafted manifest to overwrite files outside the selected download directory.

User interaction is required to run the stage download command on the crafted package.

Remediation

Install security update from vendor's website.

Sources

https://github.com/pnpm/pnpm/security/advisories/GHSA-v23m-ccfg-pq9h
https://github.com/pnpm/pnpm/commit/65443f4bdf1f0db9c8c7dc58fee25252607e9234

Path traversal in pnpm - #VU134555

Detailed vulnerability description

Remediation

Sources

Please verify you're human