Skip to content

pnpm: `stage download` writes outside its destination directory via manifest name/version traversal

High severity GitHub Reviewed Published Jun 15, 2026 in pnpm/pnpm • Updated Jun 26, 2026

Package

npm pnpm (npm)

Affected versions

>= 11.3.0, < 11.5.3

Patched versions

11.5.3

Description

Summary

The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by pnpm/pnpm#12303, merged as 65443f4bdf1f0db9c8c7dc58fee25252607e9234.

Before the fix, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing.

Security boundary

  • Package names and semantic versions are validated before they can influence a local filename.
  • POSIX and Windows path separators are rejected by basename checks.
  • Stage download and tarball summary paths use the same filename helper.
  • The resolved output path must remain an immediate child of the selected download directory.
  • The stage identifier is already constrained to a UUID.

Exploit replay

Before 65443f4bdf, a traversal-bearing manifest version could make the command write outside the selected directory. After the fix, malicious package names fail with ERR_PNPM_INVALID_PACKAGE_NAME, malicious versions fail with ERR_PNPM_INVALID_PACKAGE_VERSION, no outside file is created, and the download directory remains empty.

Files changed

  • releasing/commands/src/tarball/safeTarballFilename.ts validates manifest identity and rejects cross-platform path separators.
  • releasing/commands/src/stage/download.ts verifies the resolved destination before writing.
  • releasing/commands/src/tarball/summarizeTarball.ts uses the same filename contract.
  • releasing/commands/test/stage.test.ts covers traversal through both package name and version.
  • .changeset/stale-stage-tarballs.md includes patch bumps for @pnpm/releasing.commands and pnpm.

Patch

  • Merged PR: pnpm/pnpm#12303
  • Fix commit: 65443f4bdf1f0db9c8c7dc58fee25252607e9234
  • The private candidate branch was not submitted because it conflicts with and is superseded by the merged fix. The upstream patch is slightly stronger because it covers malicious package names as well as versions.

Commands run

$ git diff --check 65443f4bdf^ 65443f4bdf
PASS
$ gh pr view 12303 --repo pnpm/pnpm --json state,mergeCommit,statusCheckRollup
MERGED as 65443f4bdf

Validation

  • Upstream regression coverage rejects traversal through both manifest name and version and verifies that no outside file is created.
  • Compile and lint, dependency audit, Linux Node.js 22/24/26, CodeQL, and zizmor checks passed on the merged public PR.
  • The Windows Node.js 22 full-suite job timed out in the unrelated pnpm/test/dlx.ts cache test after 512 other tests passed. The PR was merged by the maintainer; the failure did not involve the staging code.
  • The earlier private candidate's focused exploit regression, positive control, package compile, ESLint, and git diff --check also passed.

Compatibility

Staging and release commands are TypeScript-only. Pacquet does not expose this command family, so no Rust-side port is required.

Remaining risk

The final fs.writeFile follows a pre-existing symlink at the exact in-directory output name. That requires separate local filesystem access and is not controllable through the registry manifest traversal described here.

Written by an agent (Codex, GPT-5).

References

@zkochan zkochan published to pnpm/pnpm Jun 15, 2026
Published by the National Vulnerability Database Jun 25, 2026
Published to the GitHub Advisory Database Jun 26, 2026
Reviewed Jun 26, 2026
Last updated Jun 26, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(17th percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations. Learn more on MITRE.

CVE ID

CVE-2026-55700

GHSA ID

GHSA-v23m-ccfg-pq9h

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.