{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.902Z", "datePublished": "2026-01-26T21:50:55.289Z", "dateUpdated": "2026-01-27T21:40:36.271Z"}, "containers": {"cna": {"title": "pnpm has Windows-specific tarball Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}, {"name": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:18.657Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "source": {"advisory": "GHSA-6x96-7vc8-cm3p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:40:27.399595Z", "id": "CVE-2026-23889", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:40:36.271Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23889", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:40:27.399595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:40:31.773Z"}}], "cna": {"title": "pnpm has Windows-specific tarball Path Traversal", "source": {"advisory": "GHSA-6x96-7vc8-cm3p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.28.1"}]}], "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "name": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:18.657Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23889", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:40:36.271Z", "dateReserved": "2026-01-16T21:02:02.902Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T21:50:55.289Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5AFF60E6-D1CC-46A7-9122-988E9B68D1B9", "versionEndExcluding": "10.28.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch."}], "id": "CVE-2026-23889", "lastModified": "2026-01-28T17:33:40.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:56.213", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm: Arbitrary file write via path traversal on Windows", "id": "2433093", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433093"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in pnpm, a package manager. This vulnerability, known as path traversal, allows a malicious package to write files to unintended locations on Windows systems during the extraction of compressed archives (tarballs). The issue arises because pnpm's path normalization process does not properly account for Windows-specific directory separators. This could enable an attacker to overwrite important configuration files, potentially leading to unauthorized code execution or system compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23889", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-26T21:50:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23889\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23889\nhttps://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0\nhttps://github.com/pnpm/pnpm/releases/tag/v10.28.1\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"], "statement": "This vulnerability is rated Moderate. However, in the Red Hat context, the impact is limited as this path traversal vulnerability in pnpm's tarball extraction is specific to Windows operating systems. Red Hat products, including the affected Enterprise Application Platform components, primarily operate on Linux environments, where this specific attack vector is not applicable.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T14:59:58.088069+00:00", "value": {"mitigation_remediation": ["Upgrade pnpm to version 10.28.1 or later to apply the path traversal fix.", "Restrict the use of pnpm to trusted package sources and validate tarball contents before extraction in CI/CD pipelines.", "Run CI/CD agents with least privilege and omit write permissions to critical configuration directories when installing packages."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file overwrite on Windows that may enable code execution"}, "threat_synthesis": {"affected_systems": "pnpm users running on Windows and Windows\u2011based CI/CD environments, including GitHub Actions Windows runners and Azure DevOps pipelines, using version 10.28.0 or earlier. The vulnerability does not affect other operating systems.", "description_and_impact": "A path traversal flaw in pnpm\u2019s tarball extraction process allows malicious packages to write files outside the intended package directory on Windows. The path normalization logic only checks for the Unix\u2010style \".\" prefix, ignoring the backslash used on Windows; this oversight lets an attacker include file paths that escape the package boundary and overwrite critical files such as \".npmrc\" or build configuration files, potentially leading to privilege escalation or arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 6.5 reflects moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalogue. An attacker can exploit this flaw by introducing a malicious package into a locally built or CI\u2011driven project on a Windows machine, thereby gaining the ability to overwrite arbitrary files on the host."}}}}, "created": "2026-01-27T09:03:16.368809+00:00", "updated": "2026-04-18T15:00:03.456396+00:00", "vendors": ["pnpm", "pnpm$PRODUCT$pnpm"]}