Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-23890

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 3 weeks ago

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1 x_refsource_MISC
https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1 x_refsource_MISC
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1 x_refsource_MISC
https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h x_refsource_CONFIRM
https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h x_refsource_CONFIRM
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d x_refsource_MISC
https://github.com/pnpm/pnpm/releases/tag/v10.28.1 x_refsource_MISC

Affected products

pnpm

==< 10.28.1

Matching in nixpkgs

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

nixos-unstable 8.15.9
- nixpkgs-unstable 8.15.9
- nixos-unstable-small 8.15.9

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

nixos-unstable 9.15.9
- nixpkgs-unstable 9.15.9
- nixos-unstable-small 9.15.9

pkgs.pnpm_10

Fast, disk space efficient package manager for JavaScript

nixos-unstable 10.23.0
- nixpkgs-unstable 10.23.0
- nixos-unstable-small 10.23.0

pkgs.pnpm-shell-completion

Complete your pnpm command fastly

nixos-unstable 0.5.5
- nixpkgs-unstable 0.5.5
- nixos-unstable-small 0.5.5

Package maintainers

@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
@donovanglover Donovan Glover