DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23889: pnpm Path Traversal: When Windows Backslashes Break the Rules

#security #cve #cybersecurity

pnpm Path Traversal: When Windows Backslashes Break the Rules

Vulnerability ID: CVE-2026-23889
CVSS Score: 6.5
Published: 2026-01-26

A logic error in pnpm's tarball parsing mechanism allowed for arbitrary file writes on Windows systems. By using backslashes (\) instead of forward slashes (/) in path names, attackers could bypass sanitization checks designed to prevent directory traversal.

TL;DR

pnpm versions prior to 10.28.1 contain a Windows-specific path traversal vulnerability. The extraction logic checked for Unix-style traversal attempts (./) but ignored Windows-style backslashes (.\). This allows malicious packages to write files outside their installation directory, potentially overwriting configuration files or injecting code into CI/CD pipelines.

Technical Details

  • CWE ID: CWE-22
  • CVSS v3.1: 6.5 (Medium)
  • Attack Vector: Network (Malicious Package)
  • Impact: Arbitrary File Write
  • Affected OS: Windows
  • Fix Commit: 6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0

Affected Systems

  • pnpm (Windows)
  • Windows CI/CD Runners using pnpm
  • pnpm: < 10.28.1 (Fixed in: 10.28.1)

Code Analysis

Commit: 6ca07ff

fix: sanitize \ in tarball entry names

-    if (fileName.includes('./')) {
-      fileName = path.posix.join('/', fileName).slice(1)
+    if (fileName.includes('./') || fileName.includes('.\\')) {
+      fileName = path.posix.join('/', fileName.replaceAll('\\', '/')).slice(1)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Vulnerability inferred from patch analysis demonstrating missing backslash check.

Mitigation Strategies

  • Normalize all file paths to a common format (POSIX) before processing, regardless of the host OS.
  • Implement a "jail" check that verifies the final resolved path is still within the intended destination directory.

Remediation Steps:

  1. Update pnpm to version 10.28.1 or later immediately.
  2. If you cannot upgrade, avoid installing untrusted packages on Windows systems.
  3. Audit your CI/CD pipelines to ensure the pnpm version is pinned to a safe release.

References

Read the full report for CVE-2026-23889 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)