CVE Catalog

CVE-2026-50016

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

pnpm before versions 10.34.0 and 11.4.0 allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm uses that alias as a filesystem path when linking dependency nodes, enabling an attacker to replace paths in the current project with symlinks to attacker-controlled directories.

Risk Assessment

An attacker can publish a malicious package to the registry that, during installation (even with --ignore-scripts), replaces existing project files or directories with symlinks, leading to project compromise or data exfiltration.

Recommendation

Upgrade pnpm to version 10.34.0 or 11.4.0 immediately, which fix the path traversal vulnerability via dependency aliases.

Original NVD description (English source)

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS