Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-50015— pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)

CVSS 7.3 · High EPSS 0.25% · P16
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50015

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
Source: NVD (National Vulnerability Database)
Vulnerability Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
pnpmpnpm < 10.33.4 -

II. Public POCs for CVE-2026-50015

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-50015

登录查看更多情报信息。

Vendor Advisories for CVE-2026-50015 (1)

Same Patch Batch · pnpm · 2026-06-25 · 13 CVEs total

CVE-2026-500168.8 HIGHpnpm: Transitive dependency alias path traversal allows project path override via symlink
CVE-2026-556988.8 HIGHpnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfi
CVE-2026-554877.5 HIGHpnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
CVE-2026-556977.5 HIGHpnpm: Repository-controlled configDependencies can select a pacquet native install engine
CVE-2026-557007.1 HIGHpnpm: stage download writes outside destination via manifest version traversal
CVE-2026-500216.8 MEDIUMpnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
CVE-2026-505736.8 MEDIUMpnpm: Unsafe default behavior breaks integrity check
CVE-2026-551806.5 MEDIUMpnpm: Repository config can expand victim environment secrets into registry requests befor
CVE-2026-556996.5 MEDIUMpnpm: reserved bin name deletes PNPM_HOME during global remove
CVE-2026-500146.4 MEDIUMpnpm: Git Fetch Argument Injection via Lockfile resolution.commit
CVE-2026-48995pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
CVE-2026-50017pnpm binds unscoped user-level npm auth credentials to a repository-selected registry

IV. Related Vulnerabilities

V. Comments for CVE-2026-50015

No comments yet


Leave a comment