CVE-2026-23890
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-01-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pnpm | pnpm | to 10.28.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in pnpm's bin linking process prior to version 10.28.1. It allows malicious npm packages to create executable shims or symlinks outside of the intended 'node_modules/.bin' directory. Bin names starting with '@' bypass validation, and path traversal sequences like '../../' remain after scope normalization, enabling attackers to place files in unintended locations.
How can this vulnerability impact me? :
The vulnerability can lead to overwriting configuration files, scripts, or other sensitive files on the system. This can compromise the integrity of the environment where pnpm is used, potentially allowing attackers to execute malicious code or disrupt CI/CD pipelines and development workflows.
What immediate steps should I take to mitigate this vulnerability?
Upgrade pnpm to version 10.28.1 or later, as this version contains a patch that fixes the path traversal vulnerability in pnpm's bin linking.