CVE-2026-23889
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-23889, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-07-09
AI Q&A
2026-01-27
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.28.1 (exc)
microsoft windows *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in the pnpm package manager on Windows systems prior to version 10.28.1. It occurs because the tarball extraction process only checks for './' in paths but not for '.\', which is used as a directory separator on Windows. This allows malicious packages to write files outside the intended package directory by exploiting backslash separators, potentially overwriting important files.

Impact Analysis

The vulnerability can allow attackers to overwrite critical files such as .npmrc, build configuration files, or other important files on Windows systems using pnpm. This can compromise the integrity of your development environment or CI/CD pipelines, especially on Windows runners like GitHub Actions or Azure DevOps, potentially leading to unauthorized changes or disruptions.

Mitigation Strategies

Upgrade pnpm to version 10.28.1 or later, which contains a patch for this path traversal vulnerability. Additionally, review and restrict the use of untrusted packages in Windows environments and CI/CD pipelines to minimize risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart