CVE-2026-23888: pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

January 26, 2026 (updated January 28, 2026)

A path traversal vulnerability in pnpm’s binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip’s extractAllTo, and (2) The BinaryResolution.prefix field is concatenated into the extraction path without validation, allowing a crafted prefix like ../../evil to redirect extracted files outside targetDir.

References

github.com/advisories/GHSA-6pfh-p556-v868
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
github.com/pnpm/pnpm/releases/tag/v10.28.1
github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
nvd.nist.gov/vuln/detail/CVE-2026-23888

Code Behaviors & Features

Detect and mitigate CVE-2026-23888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →