Bug 2493036 (CVE-2026-55699) - CVE-2026-55699 pnpm: pnpm: Denial of Service due to improper handling of malicious package manifest bin keys
Summary: CVE-2026-55699 pnpm: pnpm: Denial of Service due to improper handling of mali...
Keywords:
Status: NEW
Alias: CVE-2026-55699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 18:02 UTC by OSIDB Bzimport
Modified: 2026-07-06 14:09 UTC (History)
32 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 18:02:55 UTC
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.


Note You need to log in before you can comment on or make changes to this bug.