CVE-2026-59196
Received Received - Intake

Path Traversal in pnpm Package Manager

Vulnerability report for CVE-2026-59196, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fixed in 10.34.4 and 11.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm From 11.0.0 (inc) to 11.7.0 (exc)
pacquet pacquet to 11.7.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59196 is a high-severity vulnerability in pnpm and pacquet package managers affecting versions below 10.34.4 and between 11.0.0 to 11.6.9. The issue arises from a crafted lockfile alias that can bypass security boundaries in hoisted node_modules directories.

Specifically, traversal aliases could escape the intended node_modules directory, and reserved aliases like .bin or .pnpm could overwrite pnpm-owned layout directories. This happens due to improper validation of package names and path containment before filesystem operations.

The vulnerability allows attackers to access or modify files outside the intended scope by exploiting path traversal and external control of file names or paths.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying pnpm or pacquet installations running vulnerable versions below 10.34.4 and between 11.0.0 to 11.6.9 for pnpm, or below 11.7.0 for pacquet.

You can check the installed version of pnpm or pacquet with the following commands:

  • pnpm --version
  • pacquet --version

Additionally, to detect potential exploitation attempts, you can scan your project directories for suspicious lockfile aliases that include traversal patterns or reserved names such as `.bin` or `.pnpm`.

For example, you might search for traversal aliases in lockfiles using commands like:

  • grep -rE '(\.\./|/\.\./|\.bin|\.pnpm)' path/to/your/project

Monitoring filesystem changes outside the expected `node_modules` directory could also indicate exploitation attempts.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access or modification of files outside the intended node_modules directory.

An attacker could overwrite critical directories such as .bin or .pnpm, potentially compromising the integrity of your package manager's layout and operations.

The CVSS score of 7.1 indicates a high impact on integrity and a moderate impact on availability, meaning your system's data integrity could be seriously affected and availability could be somewhat impacted.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pnpm to version 10.34.4 or later, or to version 11.7.0 or later if you are using the 11.x series.

Similarly, if you are using pacquet, upgrade to version 11.7.0 or later.

These versions include fixes that reject traversal, absolute, or reserved package names, preventing exploitation by enforcing strict containment rules during filesystem operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart