CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download
Vulnerability ID: CVE-2026-55700
CVSS Score: 7.1
Published: 2026-06-26
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.
TL;DR
Unsanitized 'name' and 'version' fields in downloaded package manifests allow arbitrary filesystem writes during 'pnpm stage download' operations.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS: 7.1
- EPSS: 0.00258
- Impact: High Integrity, Low Availability
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- pnpm
-
pnpm: < 11.5.3 (Fixed in:
11.5.3)
Code Analysis
Commit: 65443f4
fix(stage): prevent path traversal in safeTarballFilename
Mitigation Strategies
- Upgrade pnpm to a patched version
- Restrict staging commands to verified, trusted package registries
- Implement system-level read/write restrictions on CI/CD environments
Remediation Steps:
- Execute 'npm install -g pnpm@11.5.3' or use corepack to update pnpm.
- Audit any configured registry configurations to ensure they use secure HTTPS connections.
- Employ endpoint detection tools to flag suspicious file-write operations originating from Node.js applications.
References
Read the full report for CVE-2026-55700 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)