pnpm: Transitive dependency alias path traversal allows project path override...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.

AI Analysis

Transitive dependency alias path traversal vulnerability in pnpm, allowing an attacker to replace paths in the current project with symlinks to attacker-controlled dependency package directories.

Basic Information

ID CVE-2026-50016

Source GitHub_M

Published Jun 25, 2026 at 16:53

Modified Jun 25, 2026 at 18:05

Affected Product

Vendor pnpm

Product pnpm

Version < 10.33.4

Affected Versions pnpm pnpm < 10.33.4
pnpm pnpm >= 11.0.0, < 11.4.0

CWE Classification

CWE-23

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor pnpm

Product pnpm

Version < 10.34.0, >= 11.0.0 and < 11.4.0

References

github.com /pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496

{
    "lastseen": "",
    "description": "pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.",
    "published": "2026-06-25T16:53:16.350Z",
    "modified": "2026-06-25T18:05:01.809Z",
    "type": "cve",
    "title": "pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement",
    "source": "GitHub_M",
    "references": "https://github.com/pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496",
    "id": "CVE-2026-50016",
    "bulletinFamily": "",
    "cwe": [
        "CWE-23"
    ],
    "cvelist": null,
    "sourceData": "pnpm pnpm < 10.33.4\npnpm pnpm >= 11.0.0, < 11.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pnpm",
    "version": "< 10.33.4",
    "vendor": "pnpm",
    "ai_description": "Transitive dependency alias path traversal vulnerability in pnpm, allowing an attacker to replace paths in the current project with symlinks to attacker-controlled dependency package directories.",
    "ai_severity": "High",
    "ai_vendor": "pnpm",
    "ai_product": "pnpm",
    "ai_version": "< 10.34.0, >= 11.0.0 and < 11.4.0",
    "ai_score": 8.8
}

pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement_CVE-2026-50016