CNNVD-202601-4327 Information

CNNVD ID

CNNVD-202601-4327

Related CVE

CVE-2026-23889

• CNNVD Published: 2026-01-26

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 10.28.1之前版本存在路径遍历漏洞，该漏洞源于tarball提取存在路径遍历，可能导致恶意包在Windows系统上的包目录外写入文件。

Description (English)

pnpm is a package manager for pnpm open source. There was a path-to-path loophole in the pre-pnpm10.28.1, which originated in the tarball extraction of the path-to-path loop, which could lead to the malicious package writing files outside the directory of the Windows system.

Hazard Level

High

Vulnerability Type

路径遍历

Affected Vendor

pnpm

Published

2026-01-26

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p

Patch

https://github.com/pnpm/pnpm/releases