216.73.217.176

CVE-2026-24056

· Published 26/01/2026 22:15 · Modified 27/01/2026 14:59

Labels: CVE-2026-24056 2026-01-26CVE-2026-24056CWE-22[email protected]

Essential information

Published
26/01/2026 22:15
Modified
27/01/2026 14:59
Author
Creator
CVSS
6.7 MEDIUM (v3) 6.7 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
pnpm / pnpm cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:*:*
pnpm / pnpm cpe:2.3:a:pnpm:pnpm:<10.28.2:*:*:*:*:*:*:*

References