6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
pnpm: reserved bin name deletes PNPM_HOME during global remove
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.
References
Affected products
- ==< 10.34.2
- ==>= 11.0.0, < 11.5.3
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10_29_2
Fast, disk space efficient package manager for JavaScript
pkgs.pnpmBuildHook
None
pkgs.pnpmConfigHook
None
pkgs.pnpm-fixup-state-db
None
Package maintainers
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@donovanglover Donovan Glover