CVE-2026-24056
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pnpm pnpm to 10.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive local files when installing certain dependencies. It can result in credential theft by exposing files like ~/.aws/credentials, ~/.npmrc, or ~/.ssh/id_rsa. This affects developers installing local or file dependencies and CI/CD pipelines installing git dependencies, potentially compromising security and confidentiality of sensitive information.

Executive Summary

This vulnerability in pnpm occurs when installing 'file:' or 'git:' dependencies prior to version 10.28.2. pnpm follows symlinks and reads the contents of their target files without restricting access to the package root directory. A malicious package can include a symlink to an absolute path on the local system (such as /etc/passwd or ~/.ssh/id_rsa), causing pnpm to copy sensitive local files into the node_modules directory, thereby leaking local data.

Mitigation Strategies

Upgrade pnpm to version 10.28.2 or later, as this version contains a patch that fixes the vulnerability. Avoid installing untrusted local 'file:' or 'git:' dependencies that may contain malicious symlinks.

Compliance Impact

This vulnerability can lead to the leakage of sensitive local data such as credentials and private keys by copying files like ~/.aws/credentials and ~/.ssh/id_rsa into node_modules. Such data leakage could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access or disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24056. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart