DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23888: Unzipping Disaster: The pnpm Zip Slip Vulnerability

#security #cve #cybersecurity

Unzipping Disaster: The pnpm Zip Slip Vulnerability

Vulnerability ID: CVE-2026-23888
CVSS Score: 6.5
Published: 2026-01-26

A classic Zip Slip vulnerability resurfaces in the pnpm package manager (CVE-2026-23888). By exploiting the binary fetcher's reliance on the insecure adm-zip library and unvalidated resolution prefixes, attackers can write arbitrary files outside the extraction directory. This flaw, patched in version 10.28.1, allows malicious packages to overwrite critical system configuration files, potentially leading to Remote Code Execution (RCE) during the installation process.

TL;DR

pnpm versions prior to 10.28.1 contain a critical Path Traversal vulnerability (Zip Slip) in the binary fetcher component. Attackers can supply malicious ZIP archives or resolution metadata containing relative paths (e.g., ../../../.npmrc). When processed, these escape the target directory, allowing arbitrary file overwrites. This can be weaponized to achieve RCE by poisoning configuration files like .npmrc or .bashrc. The fix involves strictly validating all entry paths against the destination root before extraction.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 6.5 (Medium)
  • Attack Vector: Network
  • Impact: Integrity (High)
  • Component: Binary Fetcher / adm-zip
  • Exploit Status: PoC Available

Affected Systems

  • pnpm < 10.28.1
  • Node.js environments using vulnerable pnpm for binary management
  • CI/CD pipelines using cached pnpm versions
  • pnpm: < 10.28.1 (Fixed in: 10.28.1)

Code Analysis

Commit: 5c382f0

fix: prevent Zip Slip vulnerability by validating entry paths

- zip.extractAllTo(nodeDir, true)
+ for (const entry of zip.getEntries()) { validatePathSecurity(nodeDir, entry.entryName); zip.extractEntryTo(entry, nodeDir, true, true); }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Python script generating a ZIP with traversal characters targeting .npmrc

Mitigation Strategies

  • Input Validation: Ensure all file paths in archives are sanitized.
  • Least Privilege: Run package installations in isolated environments (containers) where file system escape is contained.
  • Dependency Pinning: Use strict versioning and lockfiles to prevent unexpected updates to malicious versions.

Remediation Steps:

  1. Upgrade pnpm to version 10.28.1 or later via npm install -g pnpm or corepack prepare pnpm@10.28.1 --activate.
  2. Regenerate lockfiles to ensure no malicious prefixes were cached.

References

Read the full report for CVE-2026-23888 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)