CVE-2026-24131: pnpm has Path Traversal via arbitrary file permission modification

January 26, 2026

When pnpm processes a package’s directories.bin field, it uses path.join() without validating the result stays within the package root. A malicious npm package can specify "directories": {"bin": "../../../../tmp"} to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.

Note: Only affects Unix/Linux/macOS. Windows is not affected (fixBin gated by EXECUTABLE_SHEBANG_SUPPORTED).

References

github.com/advisories/GHSA-v253-rj99-jwpq
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
github.com/pnpm/pnpm/releases/tag/v10.28.2
github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
nvd.nist.gov/vuln/detail/CVE-2026-24131

Code Behaviors & Features

Detect and mitigate CVE-2026-24131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →