Compliance Impact

This vulnerability allows an attacker to replace critical project files or directories with symlinks to attacker-controlled locations, potentially leading to unauthorized modification or execution of code within a project.

Such unauthorized access and modification can compromise the confidentiality, integrity, and availability of data and systems, which are core principles in standards like GDPR and HIPAA.

By enabling attackers to silently rewire project paths and execute malicious payloads during normal operations (e.g., git commits, CI workflows), this vulnerability could lead to data breaches or unauthorized data manipulation, thereby impacting compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in pnpm, a package manager, where prior to versions 10.34.0 and 11.4.0, a transitive dependency alias from registry package metadata could contain path traversal segments.

During installation, pnpm uses that alias as a filesystem path when linking dependency nodes. This means a registry package can exploit this by causing the command `pnpm install --ignore-scripts` to replace paths in the current project with symbolic links pointing to attacker-controlled dependency package directories.

This allows an attacker to manipulate the filesystem structure of the project by injecting symlinks to malicious locations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including high confidentiality, integrity, and availability risks.

An attacker can replace legitimate project paths with symlinks to attacker-controlled directories, potentially leading to unauthorized access, modification, or disruption of project files.

This can result in compromised project integrity, execution of malicious code, or denial of service within the development environment.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unexpected or suspicious symbolic links in your project directories, especially within `.git/hooks`, `.husky`, `scripts/`, or `.github/actions/` folders. These symlinks may point outside the intended `node_modules` directory to attacker-controlled locations.

You can use commands to find such symlinks and verify their targets. For example, running the following command in your project root can help identify symlinks that point outside the project directory:

• find . -type l -exec ls -l {} +

To specifically check if any symlinks point outside the project directory, you can use a script or command to detect symlinks with targets containing path traversal segments or pointing outside the current directory.

• find . -type l -exec readlink -f {} \; | grep -v "$(pwd)"

Additionally, reviewing your `pnpm-lock.yaml` or package metadata for dependency aliases containing path traversal segments (e.g., `@x/../../../../../.git/hooks`) can help detect malicious packages.

Useful 0 Not Useful 0