npm package
pnpm
pkg:npm/pnpm
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24131 | — | < 10.28.2 | 10.28.2 | Jan 26, 2026 | pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to esca | ||
| CVE-2026-24056 | — | < 10.28.2 | 10.28.2 | Jan 26, 2026 | pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g | ||
| CVE-2026-23890 | — | < 10.28.1 | 10.28.1 | Jan 26, 2026 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalizat | ||
| CVE-2026-23889 | — | < 10.28.1 | 10.28.1 | Jan 26, 2026 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes ar | ||
| CVE-2026-23888 | — | < 10.28.1 | 10.28.1 | Jan 26, 2026 | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or | ||
| CVE-2025-69262 | — | >= 6.25.0, < 10.27.0 | 10.27.0 | Jan 7, 2026 | pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could a | ||
| CVE-2025-69264 | — | >= 10.0.0, < 10.26.0 | 10.26.0 | Jan 7, 2026 | pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via | ||
| CVE-2025-69263 | — | < 10.26.0 | 10.26.0 | Jan 7, 2026 | pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p | ||
| CVE-2024-47829 | — | < 10.0.0 | 10.0.0 | Apr 23, 2025 | pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the | ||
| CVE-2024-53866 | — | < 9.15.0 | 9.15.0 | Dec 10, 2024 | The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (i | ||
| CVE-2023-37478 | — | < 7.33.4 | 7.33.4 | Aug 1, 2023 | pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or wh | ||
| CVE-2022-26183 | — | < 6.15.1 | 6.15.1 | Mar 21, 2022 | PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS. |
- CVE-2026-24131Jan 26, 2026affected < 10.28.2fixed 10.28.2
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to esca
- CVE-2026-24056Jan 26, 2026affected < 10.28.2fixed 10.28.2
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g
- CVE-2026-23890Jan 26, 2026affected < 10.28.1fixed 10.28.1
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalizat
- CVE-2026-23889Jan 26, 2026affected < 10.28.1fixed 10.28.1
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes ar
- CVE-2026-23888Jan 26, 2026affected < 10.28.1fixed 10.28.1
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or
- CVE-2025-69262Jan 7, 2026affected >= 6.25.0, < 10.27.0fixed 10.27.0
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could a
- CVE-2025-69264Jan 7, 2026affected >= 10.0.0, < 10.26.0fixed 10.26.0
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via
- CVE-2025-69263Jan 7, 2026affected < 10.26.0fixed 10.26.0
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p
- CVE-2024-47829Apr 23, 2025affected < 10.0.0fixed 10.0.0
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the
- CVE-2024-53866Dec 10, 2024affected < 9.15.0fixed 9.15.0
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (i
- CVE-2023-37478Aug 1, 2023affected < 7.33.4fixed 7.33.4
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or wh
- CVE-2022-26183Mar 21, 2022affected < 6.15.1fixed 6.15.1
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.