CNNVD-202601-4323 Information

CNNVD ID

CNNVD-202601-4323

Related CVE

CVE-2026-24131

• CNNVD Published: 2026-01-26

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 10.28.2之前版本存在安全漏洞，该漏洞源于处理包的directories.bin字段时未验证路径，可能导致恶意npm包在Unix/Linux/macOS系统上修改任意位置文件的权限。

Description (English)

pnpm is a package manager for pnpm open source. There was a security loophole in the prepm 10.2.8.2 version, which originated from the unverified path of the directories.bin field of the package, which could lead to the malicious npm package to modify the permission of any location file on the Unix/Linux/macOS system.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

pnpm

Published

2026-01-26

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 https://github.com/pnpm/pnpm/releases/tag/v10.28.2 https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq

Patch

https://github.com/pnpm/pnpm/releases