7.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- pnpmBuildHook
- pnpmConfigHook
- pnpm-fixup-state-db
- pnpm-shell-completion
- @LeSuisse accepted
- @LeSuisse published on GitHub
pnpm: hoisted install imports lockfile alias outside node_modules
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fixed in 10.34.4 and 11.7.0.
References
-
https://github.com/pnpm/pnpm/security/advisories/GHSA-fr4h-3cph-29xv x_refsource_CONFIRM
Affected products
- ==>= 11.0.0, < 11.7.0
- ==< 10.34.4
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
Ignored packages (4)
Package maintainers
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
8.2 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- pnpmBuildHook
- pnpmConfigHook
- pnpm-fixup-state-db
- pnpm-shell-completion
- @LeSuisse accepted
- @LeSuisse published on GitHub
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.
References
-
https://github.com/pnpm/pnpm/security/advisories/GHSA-qrv3-253h-g69c x_refsource_CONFIRM
Affected products
- ==>= 11.0.0, < 11.8.0
- ==< 10.34.4
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
Ignored packages (4)
Package maintainers
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
7.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- pnpmConfigHook
- pnpmBuildHook
- pnpm-fixup-state-db
- pnpm-shell-completion
- @LeSuisse accepted
- @LeSuisse published on GitHub
pnpm: patch-remove could delete project-selected files outside the patches directory
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.
References
-
https://github.com/pnpm/pnpm/security/advisories/GHSA-72r4-9c5j-mj57 x_refsource_CONFIRM
Affected products
- ==>= 11.0.0, < 11.7.0
- ==< 10.34.4
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
Ignored packages (4)
Package maintainers
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>