DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24056: Symlink Shenanigans in pnpm: Leaking Host Files via CAFS

#security #cve #cybersecurity

Symlink Shenanigans in pnpm: Leaking Host Files via CAFS

Vulnerability ID: CVE-2026-24056
CVSS Score: 6.7
Published: 2026-01-26

A high-severity path traversal vulnerability in the pnpm package manager allows malicious packages (via file: or git: protocols) to read arbitrary files from the host system by abusing symbolic links during the ingestion process.

TL;DR

pnpm versions prior to 10.28.2 fail to correctly handle symbolic links when adding files from local directories or git repositories to its internal store. By using fs.statSync instead of fs.lstatSync, pnpm blindly follows symlinks, allowing an attacker to create a package that symlinks to /etc/passwd (or other sensitive files). When a victim installs this package, pnpm reads the target file and copies it into the project's node_modules, effectively exfiltrating local data.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 & CWE-59
  • Attack Vector: Local / User Interaction
  • CVSS v4.0: 6.7 (Medium)
  • Affected Component: @pnpm/store.cafs
  • Vulnerable Function: addFilesFromDir()
  • Protocol Vector: file: and git:

Affected Systems

  • pnpm < 10.28.2
  • Node.js development environments
  • CI/CD pipelines using pnpm
  • pnpm: < 10.28.2 (Fixed in: 10.28.2)

Code Analysis

Commit: b277b45

fix: prevent symlink traversal when adding files from dir

diff --git a/store/cafs/src/addFilesFromDir.ts b/store/cafs/src/addFilesFromDir.ts
index ...
--- a/store/cafs/src/addFilesFromDir.ts
+++ b/store/cafs/src/addFilesFromDir.ts
+ import isSubdir from 'is-subdir'
...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Commit diff demonstrating the vulnerability and fix

Mitigation Strategies

  • Upgrade pnpm to version 10.28.2 or later.
  • Audit lockfiles for git: and file: dependency protocols.
  • Run CI/CD jobs in ephemeral, sandboxed environments with minimal file system access.

Remediation Steps:

  1. Check current version: pnpm -v
  2. Update pnpm: npm install -g pnpm@latest or corepack prepare pnpm@latest --activate
  3. Verify update: Ensure version is >= 10.28.2
  4. Re-install project dependencies to ensure store integrity: pnpm install --force

References

Read the full report for CVE-2026-24056 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)