GHSA-XPQM-WM3M-F34H

Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-29 03:23
VLAI?
Summary
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Details

Summary

A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact.

Details

The vulnerability exists in the bin name validation and normalization logic:

1. Validation Bypass (pkg-manager/package-bins/src/index.ts)

The filter allows any bin name starting with @ to pass through without validation:

.filter((commandName) =>
  encodeURIComponent(commandName) === commandName ||
  commandName === '' ||
  commandName[0] === '@'  // <-- Bypasses validation
)

2. Incomplete Normalization (pkg-manager/package-bins/src/index.ts)

function normalizeBinName (name: string): string {
  return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name
}
// Input:  @scope/../../evil
// Output: ../../evil  <-- Path traversal preserved!

3. Exploitation (pkg-manager/link-bins/src/index.ts:288)

The normalized name is used directly in path.join() without validation.

PoC

  1. Create a malicious package:
{
  "name": "malicious-pkg",
  "version": "1.0.0",
  "bin": {
    "@scope/../../.npmrc": "./malicious.js"
  }
}
  1. Install the package:
pnpm add /path/to/malicious-pkg
  1. Observe .npmrc created in project root (outside node_modules/.bin).

Impact

  • All pnpm users who install npm packages
  • CI/CD pipelines using pnpm
  • Can overwrite config files, scripts, or other sensitive files

Verified on pnpm main @ commit 5a0ed1d45.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T21:02:39Z",
    "nvd_published_at": "2026-01-26T22:15:56Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA path traversal vulnerability in pnpm\u0027s bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.\n\n### Details\nThe vulnerability exists in the bin name validation and normalization logic:\n\n**1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)**\n\nThe filter allows any bin name starting with `@` to pass through without validation:\n\n```typescript\n.filter((commandName) =\u003e\n  encodeURIComponent(commandName) === commandName ||\n  commandName === \u0027\u0027 ||\n  commandName[0] === \u0027@\u0027  // \u003c-- Bypasses validation\n)\n```\n\n**2. Incomplete Normalization (`pkg-manager/package-bins/src/index.ts`)**\n\n```typescript\nfunction normalizeBinName (name: string): string {\n  return name[0] === \u0027@\u0027 ? name.slice(name.indexOf(\u0027/\u0027) + 1) : name\n}\n// Input:  @scope/../../evil\n// Output: ../../evil  \u003c-- Path traversal preserved!\n```\n\n**3. Exploitation (`pkg-manager/link-bins/src/index.ts:288`)**\n\nThe normalized name is used directly in `path.join()` without validation.\n\n### PoC\n1. Create a malicious package:\n```json\n{\n  \"name\": \"malicious-pkg\",\n  \"version\": \"1.0.0\",\n  \"bin\": {\n    \"@scope/../../.npmrc\": \"./malicious.js\"\n  }\n}\n```\n\n2. Install the package:\n```bash\npnpm add /path/to/malicious-pkg\n```\n\n3. Observe `.npmrc` created in project root (outside node_modules/.bin).\n\n### Impact\n- All pnpm users who install npm packages\n- CI/CD pipelines using pnpm\n- Can overwrite config files, scripts, or other sensitive files\n\nVerified on pnpm main @ commit 5a0ed1d45.",
  "id": "GHSA-xpqm-wm3m-f34h",
  "modified": "2026-01-29T03:23:11Z",
  "published": "2026-01-26T21:02:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.