CVE-2026-59194
Received Received - Intake

Path Traversal in pnpm via Crafted Patch Entry

Vulnerability report for CVE-2026-59194, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.4 (exc)
pnpm pnpm From 11.0.0 (inc) to 11.7.0 (exc)
pnpm pnpm 11.7.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59194 is a high-severity vulnerability in the pnpm package manager affecting versions below 10.34.4 and between 11.0.0 to 11.7.0.

The vulnerability involves the `patch-remove` command, which could be exploited by crafting a patch entry that resolves outside the configured patches directory.

This improper validation allows the command to delete arbitrary reachable files outside the intended directory, enabling path traversal attacks through symlinks or absolute paths.

The fix ensures stricter validation by canonicalizing parent directories and preventing directory traversal, Windows drive escapes, and UNC escapes before deleting any files.

Impact Analysis

This vulnerability can allow an attacker to delete arbitrary files on the system where pnpm is used.

Such unauthorized file deletion can compromise system integrity by removing critical files, potentially disrupting applications or system operations.

Because the attack vector is network-based and requires low complexity, it poses a significant risk without needing user interaction.

Detection Guidance

This vulnerability involves the pnpm patch-remove command deleting arbitrary files due to improper path validation. Detection would involve checking the version of pnpm installed and monitoring usage of the patch-remove command for suspicious or crafted patch entries that attempt path traversal.

Specifically, you can detect vulnerable versions by running the command to check pnpm version:

  • pnpm --version

If the version is below 10.34.4 or between 11.0.0 and 11.7.0, the system is vulnerable.

Additionally, you can audit patch entries used with patch-remove for any that contain absolute paths, parent directory traversal sequences (e.g., "../"), or symlinks that resolve outside the configured patches directory.

Mitigation Strategies

The immediate mitigation step is to upgrade pnpm to a fixed version where this vulnerability is resolved.

  • Upgrade pnpm to version 10.34.4 or later, or to version 11.7.0 or later.

Until the upgrade is applied, avoid using the patch-remove command with untrusted or crafted patch entries that could exploit path traversal.

Ensure that any patch-remove operations are performed with trusted inputs and consider restricting access to the pnpm patch-remove functionality to trusted users only.

Compliance Impact

This vulnerability allows an attacker to delete arbitrary files outside the intended patches directory, potentially impacting system integrity.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized deletion of critical files could lead to data loss or disruption of systems that handle sensitive information, which may indirectly affect compliance with such regulations.

Organizations relying on pnpm in affected versions should consider the risk of data integrity and availability impacts when assessing their compliance posture.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart