CVE-2026-23890
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Description
### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting with `@` to pass through without validation: ```typescript .filter((commandName) => encodeURIComponent(commandName) === commandName || commandName === '' || commandName[0] === '@' // <-- Bypasses validation ) ``` **2. Incomplete Normalization (`pkg-manager/package-bins/src/index.ts`)** ```typescript function normalizeBinName (name: string): string { return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name } // Input: @scope/../../evil // Output: ../../evil <-- Path traversal preserved! ``` **3. Exploitation (`pkg-manager/link-bins/src/index.ts:288`)** The normalized name is used directly in `path.join()` without validation. ### PoC 1. Create a malicious package: ```json { "name": "malicious-pkg", "version": "1.0.0", "bin": { "@scope/../../.npmrc": "./malicious.js" } } ``` 2. Install the package: ```bash pnpm add /path/to/malicious-pkg ``` 3. Observe `.npmrc` created in project root (outside node_modules/.bin). ### Impact - All pnpm users who install npm packages - CI/CD pipelines using pnpm - Can overwrite config files, scripts, or other sensitive files Verified on pnpm main @ commit 5a0ed1d45.
How to fix CVE-2026-23890
To remediate CVE-2026-23890, upgrade the affected package to a fixed version below.
- —upgrade to 10.28.1 or later
Is CVE-2026-23890 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.