CVE-2026-59195
Received Received - Intake

Path Traversal in pnpm Package Manager

Vulnerability report for CVE-2026-59195, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 11.8.0 (exc)
pnpm pnpm 10.34.4
pnpm pnpm 11.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59195 is a path traversal vulnerability in the pnpm package manager. It occurs because pnpm accepts package names from the env lockfile's configDependencies section and uses those names directly to create symlinks under the node_modules/.pnpm-config directory without proper validation.

A malicious repository can include a specially crafted pnpm-lock.yaml file containing a traversal-shaped config dependency name (for example, ../../PWNED_CFGDEP). When pnpm installs packages, it creates a symlink at a path derived from this name, which can escape the intended directory.

This allows an attacker to create symlinks outside the restricted directory, potentially leading to unauthorized filesystem writes in the victim's project directory.

Impact Analysis

This vulnerability can impact you by allowing an attacker to write files or create symlinks outside the intended directory in your project filesystem.

Because the vulnerability provides a filesystem write primitive, an attacker could potentially manipulate files in your project directory, which may lead to integrity compromise.

The attack does not require any privileges and can be executed remotely via a malicious repository, making it easier to exploit.

Detection Guidance

This vulnerability can be detected by inspecting the pnpm-lock.yaml file in your project for any configDependencies entries containing path traversal patterns such as "../" sequences.

You can also check for unexpected symlinks created outside the intended node_modules/.pnpm-config directory, which may indicate exploitation.

  • Use a command like `grep -r --include=pnpm-lock.yaml 'configDependencies' .` to find suspicious entries in lockfiles.
  • Run `find node_modules/.pnpm-config -type l -exec ls -l {} \;` to list symlinks and verify their target paths do not escape the intended directory.
  • Check for symlinks pointing outside the project directory with `find node_modules/.pnpm-config -type l -exec readlink -f {} \; | grep -v $(pwd)`.
Mitigation Strategies

The immediate mitigation step is to upgrade pnpm to a fixed version: at least 10.34.4 for the 10.x branch or 11.8.0 and above for the 11.x branch.

Avoid using vulnerable versions of pnpm when installing packages, especially from untrusted repositories.

Review and validate the pnpm-lock.yaml files for any suspicious configDependencies entries before running pnpm install.

Ensure that your build or CI environment does not run pnpm install with untrusted lockfiles without validation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart