DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-72R4-9C5J-MJ57: GHSA-72R4-9C5J-MJ57: Arbitrary File Deletion via Path Traversal in pnpm patch-remove

#security #cve #cybersecurity #ghsa

GHSA-72R4-9C5J-MJ57: Arbitrary File Deletion via Path Traversal in pnpm patch-remove

Vulnerability ID: GHSA-72R4-9C5J-MJ57
CVSS Score: 7.1
Published: 2026-06-27

A path traversal vulnerability in the pnpm package manager's 'patch-remove' command allows an attacker to delete arbitrary files outside the patches directory. By manipulating configuration files like package.json, an attacker can specify a traversal path that the application deletes recursively without validating the path's containment.

TL;DR

The pnpm package manager failed to validate file paths in its 'patch-remove' routine. A malicious actor could exploit this by embedding directory traversal sequences in the project's configuration, leading to arbitrary file deletion when a user or CI/CD runner executed the command.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
  • Attack Vector: Local / Context-dependent execution of malicious workspace files
  • CVSS Severity: 7.1 (High Severity Recommendation)
  • Exploit Status: Concept-proven (PoC verified in test cases)
  • Impact Type: Arbitrary File and Folder Deletion
  • KEV Status: Not Listed

Affected Systems

  • pnpm command-line interface
  • @pnpm/plugin-commands-patching node module
  • @pnpm/patching.commands node module
  • pnpm: < 10.0.0 (and versions without the containment patch) (Fixed in: v10.x (patched releases))
  • @pnpm/plugin-commands-patching: < 10.0.0

Code Analysis

Commit: 612a2e6

fix: contain patch-remove deletions (#12341)

Commit: 352ae48

Backport containment fixes to release/10 (PR #12504)

Mitigation Strategies

  • Upgrade the pnpm installation to a patched version
  • Implement workspace configuration auditing in pull requests
  • Containerize CI/CD pipeline executions to limit host access
  • Restrict workspace filesystem write permissions

Remediation Steps:

  1. Identify the current pnpm version in use by running 'pnpm --version'
  2. Update pnpm to a patched version using 'npm install -g pnpm' or the system package manager
  3. Verify that the updated installation handles patch-remove safely by running a test validation
  4. Configure automated repository checks to block unauthorized changes to 'patchedDependencies'

References

Read the full report for GHSA-72R4-9C5J-MJ57 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)