DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FR4H-3CPH-29XV: GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution

#security #cve #cybersecurity #ghsa

GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution

Vulnerability ID: GHSA-FR4H-3CPH-29XV
CVSS Score: 7.1
Published: 2026-06-27

GHSA-FR4H-3CPH-29XV is a high-severity path traversal vulnerability in pnpm and its Rust-based port pacquet. The flaw manifests when using the hoisted node-linker configuration, allowing an attacker to manipulate the lockfile to resolve relative traversal sequences or target reserved subdirectories, leading to arbitrary file write or execution hijacking.

TL;DR

A path traversal vulnerability in pnpm and pacquet under 'hoisted' mode allows attackers to overwrite files outside the installation directory or hijack binaries inside the virtual store via malicious lockfiles.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22, CWE-73
  • Attack Vector: Network / Remote
  • CVSS Score: 7.1
  • Exploit Status: Proof-of-Concept
  • Impact: Arbitrary File Write / Code Execution
  • CISA KEV Status: Not Listed

Affected Systems

  • pnpm CLI
  • pacquet Rust port
  • pnpm: < 10.34.4 (Fixed in: 10.34.4)
  • pnpm: >= 11.0.0, < 11.7.0 (Fixed in: 11.7.0)

Code Analysis

Commit: 352ae48

fix(security): backport path-traversal and containment fixes to v10

Replaced native path.join with safeJoinModulesDir which includes validate-npm-package-name checks and deep relative path containment validations.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade pnpm to 10.34.4 (for v10) or 11.7.0+ (for v11)
  • Avoid the 'hoisted' nodeLinker topology in configuration
  • Enforce --frozen-lockfile in continuous integration pipelines
  • Implement static analysis on lockfiles to detect traversal elements

Remediation Steps:

  1. Verify the current global pnpm version using 'pnpm -v'.
  2. Execute 'npm install -g pnpm@latest' or 'corepack prepare pnpm@latest --activate' to update.
  3. Audit local config files (.npmrc) and ensure 'nodeLinker: hoisted' is avoided if updates are delayed.
  4. Implement a build gate to detect relative paths in pnpm-lock.yaml files.

References

Read the full report for GHSA-FR4H-3CPH-29XV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)