CVE-2026-55699
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in pnpm Global Bin Directory

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55699
EUVD
EUVD-2026-39485
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.2 (inc)
pnpm pnpm to 11.5.3 (inc)
pnpm pnpm to 11.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the pnpm package manager versions prior to 10.34.2 and 11.5.3. It involves the handling of certain keys in the manifest bin object, specifically keys like "", ".", and "..". These keys were able to bypass pnpm's bin-name guard. When a malicious package containing these keys was installed globally, subsequent global operations such as remove, update, or add-replacement could reconstruct these names and pass them to a function that removes binaries. For the key ".", this operation targets the global bin directory itself, and for the key "..", it targets the parent directory of the global bin directory. This could lead to unintended removal of important files or directories.

Impact Analysis

The vulnerability can cause high impact on availability by allowing malicious packages to remove critical files or directories when global package operations are performed. Specifically, it can lead to the deletion of the global bin directory or its parent directory, potentially breaking system-wide tools or environments that rely on those directories.

Mitigation Strategies

To mitigate this vulnerability, update pnpm to version 10.34.2 or later, or 11.5.3 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves malicious packages with reserved bin names such as "", ".", "..", or scoped forms like "@scope/.." being installed globally in pnpm. Detection involves checking for globally installed packages that have these reserved or suspicious bin names in their manifests.

To detect this on your system, you can inspect the global pnpm packages and their bin entries for reserved or suspicious names.

  • List globally installed pnpm packages: pnpm ls -g --json
  • Check the bin entries in the package manifests for reserved names such as "", ".", or ".." by inspecting the package.json files in the global pnpm directory.
  • Example command to find suspicious bin names in global packages (adjust the path to your global pnpm directory):
  • grep -r '"bin"' $(pnpm root -g) | grep -E '""|"\."|"\.\."'

If such bin names are found, it indicates the presence of packages that could exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart