216.73.217.64

CVE-2026-24131

· Published 26/01/2026 22:15 · Modified 27/01/2026 14:59

Labels: CVE-2026-24131 2026-01-26CVE-2026-24131CWE-22[email protected]

Essential information

Published
26/01/2026 22:15
Modified
27/01/2026 14:59
Author
Creator
CVSS
6.7 MEDIUM (v3) 6.7 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
p npm / pnpm cpe:2.3:a:p npm:pnpm:<10.28.2:*:*:*:*:*:*:*

References