CVE-2026-24056
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-05-07
AI Q&A
2026-01-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pnpm pnpm to 10.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive local files when installing certain dependencies. It can result in credential theft by exposing files like ~/.aws/credentials, ~/.npmrc, or ~/.ssh/id_rsa. This affects developers installing local or file dependencies and CI/CD pipelines installing git dependencies, potentially compromising security and confidentiality of sensitive information.


Can you explain this vulnerability to me?

This vulnerability in pnpm occurs when installing 'file:' or 'git:' dependencies prior to version 10.28.2. pnpm follows symlinks and reads the contents of their target files without restricting access to the package root directory. A malicious package can include a symlink to an absolute path on the local system (such as /etc/passwd or ~/.ssh/id_rsa), causing pnpm to copy sensitive local files into the node_modules directory, thereby leaking local data.


What immediate steps should I take to mitigate this vulnerability?

Upgrade pnpm to version 10.28.2 or later, as this version contains a patch that fixes the vulnerability. Avoid installing untrusted local 'file:' or 'git:' dependencies that may contain malicious symlinks.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can lead to the leakage of sensitive local data such as credentials and private keys by copying files like ~/.aws/credentials and ~/.ssh/id_rsa into node_modules. Such data leakage could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access or disclosure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart