CVE-2026-55700
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in pnpm Package Manager

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55700
EUVD
EUVD-2026-39487
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm From 11.3.0 (inc) to 11.5.3 (inc)
pnpm pnpm From 11.3.0 (inc) to 11.5.3 (exc)
pnpm pnpm 11.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pnpm package manager versions 11.3.0 through 11.5.2 in the `stage download` command. It arises because the filename used for downloaded packages is derived directly from the package name and version fields controlled by the registry without proper validation.

An attacker can craft a malicious package manifest with specially designed package name or version fields that include path traversal characters. This allows the attacker to escape the intended download directory and overwrite arbitrary files on the filesystem.

The vulnerability was fixed in version 11.5.3 by implementing strict validation of package names and versions, normalizing filenames to remove path components, and verifying that the final file path remains within the designated download directory before writing any files.

Impact Analysis

This vulnerability can impact you by allowing an attacker to overwrite arbitrary files on your system if you use vulnerable versions of pnpm and run the `stage download` command with a malicious package manifest.

The impact includes potential integrity loss of your files, as attackers can replace or modify files outside the intended directory. This could lead to unauthorized code execution, corruption of important data, or disruption of system availability.

The CVSS score of 7.1 reflects a high impact on integrity and a moderate impact on availability, with no confidentiality impact. Exploitation requires no special privileges but does require user interaction to trigger the download of the malicious package.

Detection Guidance

This vulnerability involves the pnpm package manager versions 11.3.0 to 11.5.2, specifically in the `stage download` command where crafted package manifests can cause path traversal and overwrite files outside the intended directory.

To detect if your system is vulnerable, first check the installed pnpm version by running:

  • pnpm --version

If the version is between 11.3.0 and 11.5.2 inclusive, your system is vulnerable.

To detect exploitation attempts or suspicious activity related to this vulnerability, monitor for errors or logs indicating invalid tarball filenames or directory traversal attempts during `pnpm stage download` operations.

You can also search your system logs for the error string `INVALID_TARBALL_FILENAME` which is thrown when traversal attempts are detected in fixed versions.

No specific network commands are provided in the resources, but monitoring file system changes or unexpected file overwrites in directories used by pnpm for staging downloads may help detect exploitation.

Mitigation Strategies

The primary mitigation step is to upgrade pnpm to version 11.5.3 or later, where the vulnerability is fixed by validating package names and versions and preventing directory traversal.

If upgrading immediately is not possible, avoid running the `pnpm stage download` command on untrusted package manifests or sources.

Additionally, restrict user permissions and access to the pnpm staging directories to limit potential damage from exploitation.

Monitor logs for any `INVALID_TARBALL_FILENAME` errors or suspicious file writes outside the expected directories.

Compliance Impact

This vulnerability allows an attacker to perform a path traversal attack via crafted package manifests, potentially overwriting arbitrary files outside the intended download directory.

Such unauthorized file overwrites could lead to integrity violations of system files or application data, which may impact compliance with standards and regulations that require data integrity and protection against unauthorized modification, such as GDPR and HIPAA.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart