Vulnerability Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pnpm | Pnpm | < 10.28.2 |
Related Weaknesses (CWE)
References
- https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70fPatch
- https://github.com/pnpm/pnpm/releases/tag/v10.28.2Release Notes
- https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggwVendor AdvisoryExploit
FAQ
What is CVE-2026-24056?
CVE-2026-24056 is a vulnerability with a CVSS score of 6.5 (MEDIUM). pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the...
How severe is CVE-2026-24056?
CVE-2026-24056 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24056?
Check the references section above for vendor advisories and patch information. Affected products include: Pnpm Pnpm.