Search for packages
| purl | pkg:npm/pnpm@0.69.5 |
| Next non-vulnerable version | 10.28.2 |
| Latest non-vulnerable version | 11.0.0-alpha.0 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5hux-erzs-vkfb
Aliases: CVE-2024-53866 GHSA-vm32-9rqf-rh3r |
Affected by 8 other vulnerabilities. |
|
|
VCID-6mer-khd9-mfam
Aliases: CVE-2022-26183 GHSA-9m87-6fj3-c5xh |
Untrusted Search Path in PNPM |
Affected by 9 other vulnerabilities. |
|
VCID-8a2j-f9cz-1kav
Aliases: CVE-2024-47829 GHSA-8cc4-rfj6-fhg4 |
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0. |
Affected by 8 other vulnerabilities. |
|
VCID-che8-5n7s-sqeq
Aliases: CVE-2025-69263 GHSA-7vhp-vf5g-r2fw |
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. |
Affected by 6 other vulnerabilities. |
|
VCID-fsge-arhh-ekh3
Aliases: CVE-2026-23889 GHSA-6x96-7vc8-cm3p |
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch. |
Affected by 2 other vulnerabilities. |
|
VCID-jd55-xw7a-ebev
Aliases: CVE-2026-24056 GHSA-m733-5w8f-5ggw |
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ngd9-hs2s-sbbn
Aliases: CVE-2023-37478 GHSA-5r98-f33j-g8h7 |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
|
VCID-nntm-h1md-dffv
Aliases: CVE-2026-23890 GHSA-xpqm-wm3m-f34h |
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. |
Affected by 2 other vulnerabilities. |
|
VCID-sf1s-d3sy-3yh4
Aliases: CVE-2026-23888 GHSA-6pfh-p556-v868 |
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch. |
Affected by 2 other vulnerabilities. |
|
VCID-wbvf-6crf-67fx
Aliases: CVE-2026-24131 GHSA-v253-rj99-jwpq |
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||