CVE-2026-59195

pnpm · pnpm

pnpm is affected by a path traversal vulnerability that may allow for unauthorized file system operations.

Executive summary

A high-severity path traversal vulnerability in the pnpm package manager could allow an attacker to manipulate files outside of intended directories, potentially leading to unauthorized system changes.

Vulnerability

This vulnerability is categorized as a path traversal flaw (CWE-22). It allows an unauthenticated attacker to bypass directory restrictions, potentially resulting in unauthorized file integrity modifications.

Business impact

With a CVSS score of 8.2, this vulnerability poses a significant risk to the software supply chain and CI/CD pipelines. Successful exploitation could allow attackers to overwrite critical files, inject malicious dependencies, or disrupt build processes, leading to widespread compromise of downstream systems and significant reputational damage.

Remediation

Immediate Action: Update pnpm to version 10.34.4 or 11.8.0 or later immediately to resolve the directory traversal flaw.

Proactive Monitoring: Audit logs for unusual file system write operations or unexpected package installation paths during build processes.

Compensating Controls: Implement file system integrity monitoring and ensure that package manager processes run with the least privilege necessary to prevent broad system access.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this flaw necessitates immediate attention from development and DevOps teams. Ensure all development environments and build servers are patched to the recommended versions to prevent potential supply chain attacks.