Search for packages
| purl | pkg:npm/pnpm@9.15.0 |
| Next non-vulnerable version | 10.28.2 |
| Latest non-vulnerable version | 11.0.0-alpha.0 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1akr-h98b-s3h8
Aliases: CVE-2026-23889 GHSA-6x96-7vc8-cm3p |
pnpm has Windows-specific tarball Path Traversal A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** |
Affected by 2 other vulnerabilities. |
|
VCID-6432-q5c6-w7hv
Aliases: CVE-2026-24056 GHSA-m733-5w8f-5ggw |
pnpm has symlink traversal in file:/git dependencies When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-aqjh-jsfq-efe7
Aliases: CVE-2026-23888 GHSA-6pfh-p556-v868 |
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. |
Affected by 2 other vulnerabilities. |
|
VCID-d9w9-6b2g-y7ba
Aliases: CVE-2025-69262 GHSA-2phv-j68v-wwqx |
pnpm vulnerable to Command Injection via environment variable substitution A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tokenHelper` settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments. |
Affected by 5 other vulnerabilities. |
|
VCID-s3ds-9qh7-eyfx
Aliases: CVE-2026-23890 GHSA-xpqm-wm3m-f34h |
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. |
Affected by 2 other vulnerabilities. |
|
VCID-s9kc-j8ac-9kch
Aliases: CVE-2025-69263 GHSA-7vhp-vf5g-r2fw |
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. |
Affected by 6 other vulnerabilities. |
|
VCID-v4hg-dksc-bbbn
Aliases: CVE-2024-47829 GHSA-8cc4-rfj6-fhg4 |
Affected by 8 other vulnerabilities. |
|
|
VCID-vpna-z26q-63cx
Aliases: CVE-2026-24131 GHSA-v253-rj99-jwpq |
pnpm has Path Traversal via arbitrary file permission modification When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2296-5a4n-53aj |
CVE-2024-53866
GHSA-vm32-9rqf-rh3r |