CVE-2026-59194 in pnpm
Summary
by MITRE • 07/06/2026
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/06/2026
This vulnerability affects pnpm package manager versions prior to 10.34.4 and 11.7.0, representing a critical path traversal flaw that could enable arbitrary file deletion through malicious patch entries. The issue stems from insufficient validation of patch file paths during the patch removal process, allowing crafted patch entries to escape the designated patches directory and target files anywhere within the reachable filesystem. This represents a classic path traversal vulnerability that violates secure coding principles and could be exploited by attackers to compromise system integrity.
The technical implementation of this flaw occurs when pnpm processes patch entries through the patch-remove command, where input validation fails to properly sanitize or restrict file paths. Attackers can craft malicious patch entries that contain directory traversal sequences such as '../' or similar constructs that allow them to navigate outside the intended patches directory. When the patch-remove functionality executes, it operates on these malformed paths without proper boundary checks, resulting in unintended file deletion operations that can target critical system files, configuration data, or user information stored anywhere within the filesystem reachable from the pnpm process execution context.
The operational impact of this vulnerability extends beyond simple file deletion to encompass potential system compromise and data loss scenarios. An attacker with access to modify patch entries could potentially target sensitive files such as configuration files, log data, or even system binaries if the pnpm process runs with elevated privileges. The vulnerability affects both local development environments and continuous integration systems where pnpm is used for dependency management, creating exposure points in software supply chain processes. This flaw particularly impacts organizations using automated patch management workflows where untrusted patch entries might be processed without proper validation.
Mitigation strategies should focus on immediate version updates to 10.34.4 or 11.7.0 where the vulnerability has been addressed through proper input sanitization and path validation mechanisms. Organizations should implement additional controls such as restricting write permissions for pnpm processes, implementing file system access controls, and conducting thorough code review of patch entries before processing. The fix aligns with security best practices outlined in CWE-22 Path Traversal vulnerability classification and follows ATT&CK techniques related to privilege escalation through file system manipulation. System administrators should also consider implementing monitoring for unexpected file deletion patterns and establish proper patch validation procedures as part of their software supply chain security measures.