CVE Catalog

CVE-2026-50015

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in pnpm package manager prior to versions 10.34.0 and 11.4.0 allows an attacker to write or delete arbitrary files on the filesystem during pnpm install. The issue stems from missing path validation in .patch files, enabling the use of ../ sequences to escape the package directory.

Risk Assessment

An attacker can compromise the victim's filesystem by overwriting critical configuration files or deleting data, leading to system integrity violation and potential application takeover.

Recommendation

Immediately upgrade pnpm to version 10.34.0 or 11.4.0, which contain the fix. Before upgrading, review all .patch files in repositories for suspicious path sequences.

Original NVD description (English source)

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS