Bug 2433115 (CVE-2026-24131)

Summary:	CVE-2026-24131 pnpm: pnpm: Arbitrary file permission modification via directory traversal
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	asoldano, bbaranow, bmaxwell, brian.stansberry, darran.lofthouse, dosoudil, istudens, ivassile, iweiss, mosmerov, msvehla, nwallace, pberan, pesilva, pjindal, pmackay, rstancel, smaestri, tom.jenkinson
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in pnpm, a package manager. When pnpm processes the `directories.bin` field of a package, it fails to properly validate the path, allowing a malicious npm package to specify a crafted path. This directory traversal vulnerability enables the package to escape its intended directory and modify file permissions (chmod 755) at arbitrary locations on the system. This issue primarily affects Unix, Linux, and macOS operating systems.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-26 23:01:47 UTC

pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch.