pnpm has symlink traversal in file:/git dependencies
Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: (directory) or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., /etc/passwd, ~/.ssh/id_rsa) causes pnpm to copy that file's contents into node_modules, leaking local data. The vulnerability only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to ~/.aws/credentials, ~/.npmrc, ~/.ssh/id_rsa. Version 10.28.2 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pnpmnpm | < 10.28.2 | 10.28.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m733-5w8f-5ggwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24056ghsaADVISORY
- github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70fghsax_refsource_MISCWEB
- github.com/pnpm/pnpm/releases/tag/v10.28.2ghsax_refsource_MISCWEB
- github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.