{"vulnerability": "ghsa-qrv3-253h-g69c", "sightings": [{"uuid": "dde19016-f83b-4d30-9633-4f6a83a54453", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-QRV3-253H-G69C", "type": "seen", "source": "https://gist.github.com/alon710/ce97a7a2201a10b1242cd90e0ea16a7d", "content": "# GHSA-QRV3-253H-G69C: GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm\n\n&gt; **CVSS Score:** 8.3\n&gt; **Published:** 2026-06-27\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-QRV3-253H-G69C\n\n## Summary\nA high-severity path traversal vulnerability exists in the pnpm package manager. By crafting a malicious lockfile (pnpm-lock.yaml) with path traversal characters in the configDependencies block, an attacker can create arbitrary directories and symlinks outside the project's node_modules/.pnpm-config directory. This exploitation happens automatically during pnpm installation, even when executing with scripts disabled via the --ignore-scripts flag.\n\n## TL;DR\nA path traversal vulnerability in pnpm's configDependencies handling allows malicious lockfiles to create arbitrary directories and symbolic links outside of node_modules, bypassing the execution boundaries of --ignore-scripts during package installation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 8.3\n- **EPSS Score**: N/A\n- **Impact**: Integrity (High)\n- **Exploit Status**: Proof of Concept (PoC) Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pnpm package manager for Node.js\n- **pnpm**: &gt;= 0 &lt; 10.34.4 (Fixed in: `10.34.4`)\n- **pnpm**: &gt;= 11.0.0 &lt; 11.8.0 (Fixed in: `11.8.0`)\n\n## Mitigation\n\n- Upgrade pnpm to version 10.34.4+ or 11.8.0+ depending on the release line in use.\n- Execute automated lockfile parsing and linting in CI/CD pipelines to block the pull-request phase if traversal sequences are found within pnpm-lock.yaml.\n- Run package installations inside isolated containerized environments to restrict the impact of path escapes on the host filesystem.\n\n**Remediation Steps:**\n1. Verify the current version of the pnpm client by running 'pnpm -v'.\n2. Upgrade the package manager globally using 'npm install -g pnpm@latest' or 'npm install -g pnpm@11.8.0'.\n3. Add validation engine rules in project package.json files to strictly require secure versions of pnpm.\n\n## References\n\n- [GitHub Security Advisory GHSA-QRV3-253H-G69C](https://github.com/advisories/GHSA-QRV3-253H-G69C)\n- [pnpm Project Repository](https://github.com/pnpm/pnpm)\n- [OSV Vulnerability Record](https://api.osv.dev/v1/vulns/GHSA-qrv3-253h-g69c)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-QRV3-253H-G69C) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-27T00:42:18.378119Z"}]}