CVE-2026-50015 | pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm… | CVSS 7.3 HIGH

Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.

Metadata

CVE ID: CVE-2026-50015
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-02 22:46 UTC
Published: 2026-06-25 16:52 UTC
Last updated: 2026-06-25 17:59 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: pnpm / pnpm
Sources: cve.org · NVD

Severity & Metrics

7.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
pnpm	pnpm	—	< 10.33.4, >= 11.0.0, < 11.4.0

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

References (1)

https://github.com/pnpm/pnpm/security/advisories/GHSA-rxhj-4m44-96r4 https://github.com/pnpm/pnpm/security/advisories/GHSA-rxhj-4m44-96r4