CVE-2026-59195 in pnpm
Summary
by MITRE • 07/06/2026
pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/06/2026
This vulnerability in pnpm represents a critical directory traversal flaw that enables arbitrary file system manipulation through malicious package lock files. The issue stems from pnpm's handling of environment lockfile configuration dependencies, specifically within the configDependencies section of pnpm-lock.yaml files. When pnpm processes these lock files during installation, it directly uses the package names specified in the env-lockfile document without proper validation or sanitization. This design flaw creates a path traversal opportunity where malicious actors can craft package names containing directory traversal sequences such as ../ or ..\ that would allow them to write symlinks outside of the intended node_modules/.pnpm-config directory structure.
The technical execution of this vulnerability occurs during the pnpm install process when the package manager encounters a specially crafted config dependency name in the lock file. The system creates symlinks at paths derived directly from these unvalidated names, potentially allowing attackers to place symbolic links in arbitrary locations on the filesystem. This behavior aligns with CWE-22 Directory Traversal vulnerabilities and represents a privilege escalation vector that could enable malicious actors to manipulate the package manager's operational environment or potentially compromise other system resources. The vulnerability affects versions prior to 10.34.4 and 11.8.0, indicating that these releases contained insufficient input validation for configuration dependency names.
The operational impact of this vulnerability extends beyond simple file system manipulation and could enable attackers to interfere with the package management process itself. By creating symlinks in unintended locations, malicious actors might be able to redirect package resolution, manipulate installed dependencies, or potentially cause cascading failures in the dependency resolution process. This type of attack could compromise build integrity and introduce supply chain vulnerabilities that persist across different development environments. The vulnerability also aligns with ATT&CK technique T1583.002 for acquiring resources and T1068 for exploit development, as it represents a path traversal weakness that can be leveraged to gain unauthorized access to system resources through package management operations.
The fix implemented in pnpm versions 10.34.4 and 11.8.0 addresses this vulnerability by introducing proper input validation and sanitization of configuration dependency names before they are used to create symlinks. This mitigation strategy aligns with defensive programming practices that prevent directory traversal attacks by ensuring that all file system operations use only validated and normalized paths. Organizations should immediately update to these patched versions or implement equivalent mitigations such as lock file verification processes, environment variable sanitization, and runtime monitoring of package manager operations to prevent exploitation of this vulnerability. The fix demonstrates the importance of input validation in package management systems and highlights how seemingly innocuous configuration options can become security attack vectors when proper validation mechanisms are absent.
This vulnerability illustrates the broader security challenges inherent in modern package management ecosystems where configuration files can contain executable instructions that influence system behavior. The flaw represents a classic case of insufficient input validation in a tool that operates with elevated privileges during installation processes, making it particularly dangerous in automated build environments or continuous integration pipelines where such attacks could go unnoticed for extended periods.