CVE-2026-50015
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in pnpm Patch Package

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50015
EUVD
EUVD-2026-39492
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.0|end_excluding=11.4.0 (exc)
pnpm pnpm to 11.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50015 is a high-severity vulnerability in the pnpm package manager caused by a lack of path validation in the patch application process of the @pnpm/patch-package library.

When a user runs pnpm install, patch files are processed without sanitizing file paths extracted from .patch files. An attacker can submit a malicious patch file containing path traversal sequences (like ../../) that allow writing or deleting arbitrary files outside the intended package directory.

This means an attacker can modify or remove sensitive files on the filesystem with the privileges of the user running the install, potentially compromising system or user data.

Impact Analysis

This vulnerability can lead to unauthorized modification or deletion of arbitrary files on your filesystem during the pnpm install process.

  • Attackers can write malicious content to sensitive files such as SSH authorized keys, shell configuration files, or CI/CD pipeline files.
  • It can compromise system integrity by altering important files and availability by deleting critical files.
  • Since the exploit runs with the privileges of the user executing pnpm install, it can lead to significant security breaches depending on the user's permissions.
Detection Guidance

This vulnerability can be detected by inspecting patch files (.patch) used during pnpm install for path traversal sequences such as ../../ in the diff --git header paths. These sequences indicate attempts to traverse outside the package directory.

A practical approach is to search your project or workspace for patch files containing such traversal patterns before running pnpm install.

  • Use a command like: grep -r --include='*.patch' '\.\.\/' . to find patch files with path traversal sequences.
  • Review pull requests for any patch files that include suspicious diff headers with ../../ sequences.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where the patch application pipeline performs proper path validation.

Additionally, avoid applying patches from untrusted sources or pull requests without thorough review, especially those containing patch files.

Implement validation or sanitization of patch file paths to reject any that contain path traversal sequences before running pnpm install.

Compliance Impact

This vulnerability allows attackers to write or delete arbitrary files on the filesystem during pnpm install by exploiting path traversal in patch files. Such unauthorized file modifications can lead to compromise of sensitive files, including SSH keys and CI/CD configurations.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to alter or delete sensitive files could potentially lead to breaches of confidentiality, integrity, and availability requirements mandated by these regulations.

Therefore, exploitation of this vulnerability could indirectly impact compliance by enabling unauthorized access or modification of sensitive data or system configurations, which are critical for meeting regulatory standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart