2433605 – (CVE-2026-24056) CVE-2026-24056 pnpm: pnpm symlink traversal in file:/git dependencies

Bug 2433605 (CVE-2026-24056) - CVE-2026-24056 pnpm: pnpm symlink traversal in file:/git dependencies

Summary: CVE-2026-24056 pnpm: pnpm symlink traversal in file:/git dependencies

Keywords:
Status:	NEW
Alias:	CVE-2026-24056
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-27 22:01 UTC by OSIDB Bzimport
Modified:	2026-01-28 21:56 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-27 22:01:32 UTC

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch.

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
darran.lofthouse
dosoudil
fjuma
istudens
ivassile
iweiss
mosmerov
msvehla
nwallace
pberan
pesilva
pjindal
pmackay
rstancel
smaestri
tom.jenkinson