VDB

CVE-2026-24131

CVE-2026-24131 PUBLISHED CVSS 6.699999809265137 MEDIUM

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.

EPSS 0.01% · 0.6th percentile

Risk Scores

CVSS v4.0
6.699999809265137
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.01%
0.6th percentile

Affected Products

VendorProductVersions
pnpmpnpm< 10.28.2, 0, < 10.28.2
npmpnpm0, 0, 0

Timeline

  • Jan 26, 2026 CVE Published
  • Jan 27, 2026 EPSS Score
  • Jan 27, 2026 PoC Published
  • Jan 29, 2026 EPSS Score
  • Jan 30, 2026 Security Advisory
  • Feb 1, 2026 EPSS Score
  • Feb 3, 2026 EPSS Score
  • Feb 6, 2026 EPSS Score
  • Feb 8, 2026 EPSS Score
  • Feb 11, 2026 EPSS Score
  • Feb 13, 2026 EPSS Score
  • Feb 16, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›