8.8 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.
References
Affected products
- ==< 10.33.4
- ==>= 11.0.0, < 11.4.0
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10_29_2
Fast, disk space efficient package manager for JavaScript
pkgs.pnpmBuildHook
None
pkgs.pnpmConfigHook
None
pkgs.pnpm-fixup-state-db
None
Package maintainers
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@donovanglover Donovan Glover