CVE-2026-23890: pnpm: The Path to Hell is Paved with Scoped Bins

pnpm: The Path to Hell is Paved with Scoped Bins

Vulnerability ID: CVE-2026-23890
CVSS Score: 6.5
Published: 2026-01-26

A logic flaw in pnpm's binary linking mechanism allowed malicious packages to break out of the node_modules directory using directory traversal sequences disguised as scoped packages.

TL;DR

pnpm trusted 'scoped' package names too much. By prefixing a binary name with '@', attackers could bypass validation filters. This allowed a malicious package.json to define a binary path like @scope/../../.npmrc, tricking pnpm into overwriting sensitive configuration files in the project root instead of placing a shim in node_modules/.bin.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-23
• Attack Vector: Network
• CVSS v3.1: 6.5 (Medium)
• Impact: High Integrity
• Exploit Status: PoC Available
• Component: pkg-manager/package-bins

Affected Systems

• pnpm < 10.28.1
• Node.js Projects using vulnerable pnpm versions
• CI/CD Pipelines using pnpm
• pnpm: < 10.28.1 (Fixed in: 10.28.1)

Code Analysis

Commit: 8afbb15

fix: prevent path traversal by validating bin names

pkg-manager/package-bins/src/index.ts

Exploit Details

• Internal Research: Constructed PoC based on advisory description using nested traversal in bin keys.

Mitigation Strategies

• Input Validation Hardening
• Path Normalization checks
• Dependency Auditing

Remediation Steps:

1. Upgrade pnpm to version 10.28.1 or later immediately.
2. Audit your pnpm-lock.yaml for suspicious binary names if you suspect a breach.
3. Use pnpm install --ignore-scripts if installing untrusted packages (though this only mitigates post-install execution, not the linking itself).

References

• GHSA-xpqm-wm3m-f34h: Path traversal in scoped bin name
• NVD - CVE-2026-23890

---

Read the full report for CVE-2026-23890 on our website for more details including interactive diagrams and full exploit analysis.