{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.474Z", "datePublished": "2026-01-26T22:03:33.808Z", "dateUpdated": "2026-01-27T21:37:51.868Z"}, "containers": {"cna": {"title": "pnpm has Path Traversal via arbitrary file permission modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"}, {"name": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:03:33.808Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "source": {"advisory": "GHSA-v253-rj99-jwpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:37:39.852167Z", "id": "CVE-2026-24131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:37:51.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:37:39.852167Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:37:44.487Z"}}], "cna": {"title": "pnpm has Path Traversal via arbitrary file permission modification", "source": {"advisory": "GHSA-v253-rj99-jwpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.28.2"}]}], "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "name": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:03:33.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24131", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:37:51.868Z", "dateReserved": "2026-01-21T18:38:22.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T22:03:33.808Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BA06266E-E70F-4B2B-AA69-7482EEE8A7A0", "versionEndExcluding": "10.28.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "id": "CVE-2026-24131", "lastModified": "2026-01-28T17:05:46.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:56.830", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm: Arbitrary file permission modification via directory traversal", "id": "2433115", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433115"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "(CWE-22|CWE-732)", "details": ["A flaw was found in pnpm, a package manager. When pnpm processes the `directories.bin` field of a package, it fails to properly validate the path, allowing a malicious npm package to specify a crafted path. This directory traversal vulnerability enables the package to escape its intended directory and modify file permissions (chmod 755) at arbitrary locations on the system. This issue primarily affects Unix, Linux, and macOS operating systems."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that only trusted npm packages are used with `pnpm`. Avoid installing packages from untrusted or unverified sources to prevent the processing of malicious package `directories.bin` fields."}, "name": "CVE-2026-24131", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-26T22:03:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24131\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24131\nhttps://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943\nhttps://github.com/pnpm/pnpm/releases/tag/v10.28.2\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"], "statement": "This vulnerability is rated Moderate for Red Hat products as it allows a malicious npm package to perform path traversal, leading to arbitrary file permission modification (chmod 755) outside the intended package directory. This issue affects systems running pnpm on Unix/Linux-based Red Hat environments when processing untrusted npm packages.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:35:39.796755+00:00", "value": {"mitigation_remediation": ["Upgrade pnpm to version 10.28.2 or later to receive the path validation patch.", "If an immediate upgrade is not possible, avoid installing or running untrusted npm packages and consider using pnpm\u2019s --no-bin-links flag to skip binary creation.", "Run pnpm under a user account with the least required privileges and limit its file system access so that even if a path traversal occurs, the scope of affected files is constrained."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file permission changes via path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the pnpm package manager on Unix\u2011like operating systems\u2014Linux, macOS, and other Unix variants\u2014when installed at any version earlier than 10.28.2. Windows is not impacted because the potential exploit path is guarded by the EXECUTABLE_SHEBANG_SUPPORTED condition. Anyone using pnpm to install packages from untrusted registries or local sources is at risk.", "description_and_impact": "pnpm, before version 10.28.2, processes a package\u2019s directories.bin field without validating that the resolved path remains inside the package root. A malicious npm package can set directories.bin to a value such as \"../../../../tmp\", causing pnpm to use path.join() to build a path that points outside the package. The resulting path is then chmod\u2011ed to 755, giving the attacker the ability to modify the permissions of any file the pnpm process can reach, potentially granting elevated privileges or enabling other subsequent attacks.", "risk_and_exploitability": "The vulnerability received a CVSS score of 6.7, indicating moderate severity. However, the EPSS score is reported as < 1%, so the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious package; once delivered, the attack can be carried out locally by the user running pnpm, allowing changes to arbitrary file permissions under that user\u2019s filesystem scope."}}}}, "created": "2026-01-27T09:03:29.955845+00:00", "updated": "2026-04-18T02:45:27.278202+00:00", "vendors": ["pnpm", "pnpm$PRODUCT$pnpm"]}