What is CVE-2026-23890?

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting with `@` to pass through without validation: ```typescript .filter((commandName) => encodeURIComponent(commandName) === commandName || commandName === '' || commandName[0] === '@' // <-- Bypasses validation ) ``` **2. Incomplete Normalization (`pkg-manager/package-bins/src/index.ts`)** ```typescript function normalizeBinName (name: string): string { return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name } // Input: @scope/../../evil // Output: ../../evil <-- Path traversal preserved! ``` **3. Exploitation (`pkg-manager/link-bins/src/index.ts:288`)** The normalized name is used directly in `path.join()` without validation. ### PoC 1. Create a malicious package: ```json { "name": "malicious-pkg", "version": "1.0.0", "bin": { "@scope/../../.npmrc": "./malicious.js" } } ``` 2. Install the package: ```bash pnpm add /path/to/malicious-pkg ``` 3. Observe `.npmrc` created in project root (outside node_modules/.bin). ### Impact - All pnpm users who install npm packages - CI/CD pipelines using pnpm - Can overwrite config files, scripts, or other sensitive files Verified on pnpm main @ commit 5a0ed1d45.

What is the severity of CVE-2026-23890?

CVE-2026-23890 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-23890?

No known public exploits are currently available for CVE-2026-23890.

Is there a patch available for CVE-2026-23890?

Yes, patches are available for CVE-2026-23890. Check the vendor advisories for update instructions.

CVE-2026-23890 - CVE Details, Severity, and Analysis

Q: What is the severity of CVE-2026-23890?

CVE-2026-23890 has a CVSS v3 score of 0, which is classified as Low severity.

Q: Is there an exploit available for CVE-2026-23890?

No known public exploits are currently available for CVE-2026-23890.

Q: Is there a patch available for CVE-2026-23890?

Yes, patches are available for CVE-2026-23890. Check the vendor advisories for update instructions.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact.

Details

The vulnerability exists in the bin name validation and normalization logic:

1. Validation Bypass (pkg-manager/package-bins/src/index.ts)

The filter allows any bin name starting with @ to pass through without validation:

.filter((commandName) =>
  encodeURIComponent(commandName) === commandName ||
  commandName === '' ||
  commandName[0] === '@'  // <-- Bypasses validation
)

2. Incomplete Normalization (pkg-manager/package-bins/src/index.ts)

function normalizeBinName (name: string): string {
  return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name
}
// Input:  @scope/../../evil
// Output: ../../evil  <-- Path traversal preserved!

3. Exploitation (pkg-manager/link-bins/src/index.ts:288)

The normalized name is used directly in path.join() without validation.

PoC

Create a malicious package:

{
  "name": "malicious-pkg",
  "version": "1.0.0",
  "bin": {
    "@scope/../../.npmrc": "./malicious.js"
  }
}

Install the package:

pnpm add /path/to/malicious-pkg

Observe .npmrc created in project root (outside node_modules/.bin).

Impact

All pnpm users who install npm packages
CI/CD pipelines using pnpm
Can overwrite config files, scripts, or other sensitive files

Verified on pnpm main @ commit 5a0ed1d45.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com