CVE-2026-23888
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-05-07
AI Q&A
2026-01-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23888
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pnpm pnpm to 10.28.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in pnpm (prior to version 10.28.1) is a path traversal issue in its binary fetcher. Malicious packages can exploit it to write files outside the intended extraction directory by using crafted ZIP entries with '../' or absolute paths, or by manipulating the BinaryResolution.prefix field to redirect extracted files outside the target directory. This allows attackers to overwrite files outside the safe extraction path.


How can this vulnerability impact me? :

The vulnerability can lead to overwriting configuration files, scripts, or other sensitive files on your system. This can result in remote code execution (RCE), compromising the security and integrity of your environment. It affects all pnpm users who install packages with binary assets, those who configure custom Node.js binary locations, and CI/CD pipelines that auto-install binary dependencies.


What immediate steps should I take to mitigate this vulnerability?

Upgrade pnpm to version 10.28.1 or later, which contains a patch for this path traversal vulnerability. Avoid installing packages with binary assets from untrusted sources and review any custom Node.js binary location configurations to ensure they do not use unsafe prefixes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart