VYPR
Moderate severityOSV Advisory· Published Jan 26, 2026· Updated Jan 27, 2026

pnpm has Windows-specific tarball Path Traversal

CVE-2026-23889

Description

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for ./ but not .\. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting .npmrc, build configs, or other files. Version 10.28.1 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pnpmnpm
< 10.28.110.28.1

Affected products

2
  • Range: 0.19.0, @pnpm/headless@0.6.2, @pnpm/utils@0.6.1, …
  • ghsa-coords
    Range: < 10.28.1

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.