CNNVD-202601-4332 Information

CNNVD ID

CNNVD-202601-4332

Related CVE

CVE-2026-24056

• CNNVD Published: 2026-01-26

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 10.28.2之前版本存在后置链接漏洞，该漏洞源于安装file:或git:依赖时跟随符号链接，可能导致本地数据泄露。

Description (English)

pnpm is a package manager for pnpm open source. Pnpm 10.2.8.2 has a backlink loophole that originates from the installation file: or git: following a symbol link when relying, which may lead to local data leakage.

Hazard Level

High

Vulnerability Type

后置链接

Affected Vendor

pnpm

Published

2026-01-26

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f https://github.com/pnpm/pnpm/releases/tag/v10.28.2 https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw

Patch

https://github.com/pnpm/pnpm/releases