CVE-2026-55699: CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

Vulnerability ID: CVE-2026-55699
CVSS Score: 6.5
Published: 2026-06-26

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

TL;DR

A validation flaw in pnpm allows malicious packages to register '..' as a binary command name. When the package is uninstalled or updated, pnpm evaluates this command key, resolves it to the parent directory of global binaries (typically PNPM_HOME), and deletes it recursively.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22, CWE-73
• Attack Vector: Network (Requires User Interaction)
• CVSS v3.1 Score: 6.5
• EPSS Score: 0.00271
• Impact: High (Availability - Arbitrary Directory Deletion)
• Exploit Status: Proof of Concept (PoC) available
• KEV Status: Not listed

Affected Systems

• pnpm package manager
• Node.js development environments running pnpm
• pnpm: < 10.34.2 (Fixed in: 10.34.2)
• pnpm: >= 11.0.0 < 11.5.3 (Fixed in: 11.5.3)

Exploit Details

• GitHub Security Advisory: Proof of concept configuration detailed inside the security advisory.

Mitigation Strategies

• Upgrade the pnpm client to version 10.34.2, 11.5.3, or later depending on the major version line in use
• Restrict arbitrary global installations from unverified public package registries
• Employ manifest scanner scripts within enterprise continuous integration environments to reject packages containing directory traversal elements in the bin definition

Remediation Steps:

1. To patch systems running pnpm v10, execute: npm install -g pnpm@10.34.2
2. To patch systems running pnpm v11, execute: npm install -g pnpm@11.5.3
3. Verify the current version of the executable is updated by running: pnpm --version

References

• NVD CVE-2026-55699 Detail
• GitHub Security Advisory GHSA-4gxm-v5v7-fqc4
• CVE.org CVE-2026-55699 Record

---

Read the full report for CVE-2026-55699 on our website for more details including interactive diagrams and full exploit analysis.