CVE-2026-23889: pnpm has Windows-specific tarball Path Traversal

January 26, 2026 (updated January 29, 2026)

A path traversal vulnerability in pnpm’s tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for ./ but not .\. On Windows, backslashes are directory separators, enabling path traversal.

This vulnerability is Windows-only.

References

github.com/advisories/GHSA-6x96-7vc8-cm3p
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
github.com/pnpm/pnpm/releases/tag/v10.28.1
github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
nvd.nist.gov/vuln/detail/CVE-2026-23889

Code Behaviors & Features

Detect and mitigate CVE-2026-23889 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →