{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23890", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.902Z", "datePublished": "2026-01-26T21:53:40.810Z", "dateUpdated": "2026-01-27T21:39:57.954Z"}, "containers": {"cna": {"title": "pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"}, {"name": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:34.275Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch."}], "source": {"advisory": "GHSA-xpqm-wm3m-f34h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:39:49.236417Z", "id": "CVE-2026-23890", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:39:57.954Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23890", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:39:49.236417Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:39:54.444Z"}}], "cna": {"title": "pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin", "source": {"advisory": "GHSA-xpqm-wm3m-f34h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.28.1"}]}], "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h", "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d", "name": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:00:34.275Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23890", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:39:57.954Z", "dateReserved": "2026-01-16T21:02:02.902Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T21:53:40.810Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5AFF60E6-D1CC-46A7-9122-988E9B68D1B9", "versionEndExcluding": "10.28.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch."}], "id": "CVE-2026-23890", "lastModified": "2026-01-28T17:32:21.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:56.363", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm: Arbitrary code execution via path traversal in bin linking", "id": "2433090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433090"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-23", "details": ["A flaw was found in pnpm, a package manager. A remote attacker can exploit a path traversal vulnerability by crafting malicious npm packages. This vulnerability allows the attacker to bypass validation by using bin names starting with an \"@\" symbol, enabling them to create executable shims or symbolic links (symlinks) outside of the designated `node_modules/.bin` directory. This could lead to arbitrary code execution or privilege escalation on the affected system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that only trusted npm packages are installed when utilizing pnpm. Restrict the use of pnpm for package installation to controlled environments, such as secure CI/CD pipelines, to prevent the introduction of malicious packages. Implement robust package source validation and integrity checks to minimize exposure."}, "name": "CVE-2026-23890", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-26T21:53:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23890\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23890\nhttps://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d\nhttps://github.com/pnpm/pnpm/releases/tag/v10.28.1\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"], "statement": "This vulnerability is rated Moderate for Red Hat. It affects systems using pnpm where malicious npm packages can exploit a path traversal flaw during bin linking. This allows the creation of executable files or symlinks outside of the `node_modules/.bin` directory, posing a risk in environments that install untrusted npm packages, such as development or CI/CD pipelines.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:36:41.816201+00:00", "value": {"mitigation_remediation": ["Upgrade to pnpm version 10.28.1 or later to apply the path\u2011traversal fix", "Regenerate the node_modules directory by removing it and reinstalling all dependencies to ensure no malicious shims remain", "Review any files that appear outside node_modules/.bin after installation, particularly configuration or script files, and restore them to a known safe state or remove them"], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file creation outside node_modules/.bin via path traversal in pnpm bin linking"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts any system running pnpm versions prior to 10.28.1 that installs npm packages or uses pnpm in CI/CD pipelines. pnpm users, developers, and automation scripts that pull dependencies are therefore at risk. The affected vendor/product is pnpm:pnpm, all versions before the publicly released patch in 10.28.1.", "description_and_impact": "pnpm, the JavaScript package manager, had a flaw in its bin linking logic that let a malicious npm package create or overwrite files outside the expected node_modules/.bin directory. When a bin name begins with a scope marker such as @, pnpm omits certain validations, and after normalizing the scope the path traversal sequences like ../../ are preserved. As a result an attacker can place executable shims or symbolic links anywhere on the filesystem, potentially targeting configuration files, scripts, or other sensitive locations. The stored weakness is a typical path traversal issue (CWE\u201123). This gives the attacker the ability to modify files and to execute code with the permissions of the pnpm process, which could lead to unintended privilege escalation or service disruption.", "risk_and_exploitability": "The risk assessment assigns a CVSS score of 6.5, placing it in the moderate to high severity category. The EPSS score is below 1%, indicating that widespread exploitation is presently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalogue. Nevertheless, an attacker only needs to provide or compromise an npm package to trigger the flaw, a scenario that is feasible for supply\u2011chain attacks or malicious package publication. If an attacker succeeds, they can overwrite or create files on the target system, potentially corrupting configuration, installing backdoors, or enabling further exploitation. The attack vector is inferred to be through malicious or compromised npm packages because the bin linking process occurs during installation. Consequently, users working with untrusted packages or running CI/CD pipelines that install dependencies automatically are at higher risk."}}}}, "created": "2026-01-27T09:03:24.365611+00:00", "updated": "2026-04-18T02:45:27.279238+00:00", "vendors": ["pnpm", "pnpm$PRODUCT$pnpm"]}