Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/pnpm@8.6.8
purl pkg:npm/pnpm@8.6.8
Next non-vulnerable version 10.28.2
Latest non-vulnerable version 11.0.0-alpha.0
Risk
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-1akr-h98b-s3h8
Aliases:
CVE-2026-23889
GHSA-6x96-7vc8-cm3p
pnpm has Windows-specific tarball Path Traversal A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.**
10.28.1
Affected by 2 other vulnerabilities.
VCID-2296-5a4n-53aj
Aliases:
CVE-2024-53866
GHSA-vm32-9rqf-rh3r
9.15.0
Affected by 8 other vulnerabilities.
VCID-6432-q5c6-w7hv
Aliases:
CVE-2026-24056
GHSA-m733-5w8f-5ggw
pnpm has symlink traversal in file:/git dependencies When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
10.28.2
Affected by 0 other vulnerabilities.
11.0.0-alpha.0
Affected by 0 other vulnerabilities.
VCID-aqjh-jsfq-efe7
Aliases:
CVE-2026-23888
GHSA-6pfh-p556-v868
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.
10.28.1
Affected by 2 other vulnerabilities.
VCID-d9w9-6b2g-y7ba
Aliases:
CVE-2025-69262
GHSA-2phv-j68v-wwqx
pnpm vulnerable to Command Injection via environment variable substitution A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tokenHelper` settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.
10.27.0
Affected by 5 other vulnerabilities.
VCID-s3ds-9qh7-eyfx
Aliases:
CVE-2026-23890
GHSA-xpqm-wm3m-f34h
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.
10.28.1
Affected by 2 other vulnerabilities.
VCID-s9kc-j8ac-9kch
Aliases:
CVE-2025-69263
GHSA-7vhp-vf5g-r2fw
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.
10.26.0
Affected by 6 other vulnerabilities.
VCID-v4hg-dksc-bbbn
Aliases:
CVE-2024-47829
GHSA-8cc4-rfj6-fhg4
10.0.0
Affected by 8 other vulnerabilities.
VCID-vpna-z26q-63cx
Aliases:
CVE-2026-24131
GHSA-v253-rj99-jwpq
pnpm has Path Traversal via arbitrary file permission modification When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).
10.28.2
Affected by 0 other vulnerabilities.
11.0.0-alpha.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-4qts-drt3-eufs pnpm incorrectly parses tar archives relative to specification pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8. CVE-2023-37478
GHSA-5r98-f33j-g8h7

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-01T09:30:02.143149+00:00 GitLab Importer Affected by VCID-vpna-z26q-63cx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-24131.yml 38.6.0
2026-06-01T09:29:55.552966+00:00 GitLab Importer Affected by VCID-6432-q5c6-w7hv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-24056.yml 38.6.0
2026-06-01T09:29:45.175254+00:00 GitLab Importer Affected by VCID-1akr-h98b-s3h8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-23889.yml 38.6.0
2026-06-01T09:29:38.977674+00:00 GitLab Importer Affected by VCID-s3ds-9qh7-eyfx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-23890.yml 38.6.0
2026-06-01T09:29:26.116911+00:00 GitLab Importer Affected by VCID-aqjh-jsfq-efe7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2026-23888.yml 38.6.0
2026-06-01T09:21:34.454534+00:00 GitLab Importer Affected by VCID-s9kc-j8ac-9kch https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2025-69263.yml 38.6.0
2026-06-01T09:21:27.041713+00:00 GitLab Importer Affected by VCID-d9w9-6b2g-y7ba https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2025-69262.yml 38.6.0
2026-06-01T08:39:24.973899+00:00 GitLab Importer Affected by VCID-v4hg-dksc-bbbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2024-47829.yml 38.6.0
2026-06-01T08:26:15.701263+00:00 GitLab Importer Affected by VCID-2296-5a4n-53aj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2024-53866.yml 38.6.0
2026-05-31T21:36:32.261853+00:00 GHSA Importer Fixing VCID-4qts-drt3-eufs https://github.com/advisories/GHSA-5r98-f33j-g8h7 38.6.0
2026-05-31T11:06:50.427244+00:00 GithubOSV Importer Fixing VCID-4qts-drt3-eufs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-5r98-f33j-g8h7/GHSA-5r98-f33j-g8h7.json 38.6.0
2026-05-30T21:01:29.612865+00:00 GitLab Importer Fixing VCID-4qts-drt3-eufs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2023-37478.yml 38.6.0