VulnerableCode Package Details - pkg:npm/pnpm@10.28.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-78bz-kqa9-uuft	pnpm has symlink traversal in file:/git dependencies When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. Preconditions: Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.	CVE-2026-24056 GHSA-m733-5w8f-5ggw
VCID-f6mh-kk89-8fh6	pnpm has Path Traversal via arbitrary file permission modification When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. Note: Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).	CVE-2026-24131 GHSA-v253-rj99-jwpq

Vulnerability

Summary

Aliases

VCID-78bz-kqa9-uuft

pnpm has symlink traversal in file:/git dependencies When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.

CVE-2026-24056
GHSA-m733-5w8f-5ggw

VCID-f6mh-kk89-8fh6

pnpm has Path Traversal via arbitrary file permission modification When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).

CVE-2026-24131
GHSA-v253-rj99-jwpq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:57:10.747153+00:00	GHSA Importer	Fixing	VCID-f6mh-kk89-8fh6	https://github.com/advisories/GHSA-v253-rj99-jwpq	38.6.0
2026-06-05T21:57:09.692952+00:00	GHSA Importer	Fixing	VCID-78bz-kqa9-uuft	https://github.com/advisories/GHSA-m733-5w8f-5ggw	38.6.0
2026-06-04T16:54:23.118352+00:00	GithubOSV Importer	Fixing	VCID-f6mh-kk89-8fh6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v253-rj99-jwpq/GHSA-v253-rj99-jwpq.json	38.6.0
2026-06-04T16:54:16.007909+00:00	GithubOSV Importer	Fixing	VCID-78bz-kqa9-uuft	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-m733-5w8f-5ggw/GHSA-m733-5w8f-5ggw.json	38.6.0
2026-06-02T04:49:44.700632+00:00	GitLab Importer	Fixing	VCID-f6mh-kk89-8fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-24131.yml	38.6.0
2026-06-02T04:49:44.457589+00:00	GitLab Importer	Fixing	VCID-78bz-kqa9-uuft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-24056.yml	38.6.0