GHSA-V23M-CCFG-PQ9H

Vulnerability from github – Published: 2026-06-26 23:54 – Updated: 2026-06-26 23:54
VLAI
Summary
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
Details

Summary

The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by pnpm/pnpm#12303, merged as 65443f4bdf1f0db9c8c7dc58fee25252607e9234.

Before the fix, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing.

Security boundary

  • Package names and semantic versions are validated before they can influence a local filename.
  • POSIX and Windows path separators are rejected by basename checks.
  • Stage download and tarball summary paths use the same filename helper.
  • The resolved output path must remain an immediate child of the selected download directory.
  • The stage identifier is already constrained to a UUID.

Exploit replay

Before 65443f4bdf, a traversal-bearing manifest version could make the command write outside the selected directory. After the fix, malicious package names fail with ERR_PNPM_INVALID_PACKAGE_NAME, malicious versions fail with ERR_PNPM_INVALID_PACKAGE_VERSION, no outside file is created, and the download directory remains empty.

Files changed

  • releasing/commands/src/tarball/safeTarballFilename.ts validates manifest identity and rejects cross-platform path separators.
  • releasing/commands/src/stage/download.ts verifies the resolved destination before writing.
  • releasing/commands/src/tarball/summarizeTarball.ts uses the same filename contract.
  • releasing/commands/test/stage.test.ts covers traversal through both package name and version.
  • .changeset/stale-stage-tarballs.md includes patch bumps for @pnpm/releasing.commands and pnpm.

Patch

  • Merged PR: https://github.com/pnpm/pnpm/pull/12303
  • Fix commit: 65443f4bdf1f0db9c8c7dc58fee25252607e9234
  • The private candidate branch was not submitted because it conflicts with and is superseded by the merged fix. The upstream patch is slightly stronger because it covers malicious package names as well as versions.

Commands run

$ git diff --check 65443f4bdf^ 65443f4bdf
PASS
$ gh pr view 12303 --repo pnpm/pnpm --json state,mergeCommit,statusCheckRollup
MERGED as 65443f4bdf

Validation

  • Upstream regression coverage rejects traversal through both manifest name and version and verifies that no outside file is created.
  • Compile and lint, dependency audit, Linux Node.js 22/24/26, CodeQL, and zizmor checks passed on the merged public PR.
  • The Windows Node.js 22 full-suite job timed out in the unrelated pnpm/test/dlx.ts cache test after 512 other tests passed. The PR was merged by the maintainer; the failure did not involve the staging code.
  • The earlier private candidate's focused exploit regression, positive control, package compile, ESLint, and git diff --check also passed.

Compatibility

Staging and release commands are TypeScript-only. Pacquet does not expose this command family, so no Rust-side port is required.

Remaining risk

The final fs.writeFile follows a pre-existing symlink at the exact in-directory output name. That requires separate local filesystem access and is not controllable through the registry manifest traversal described here.


Written by an agent (Codex, GPT-5).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.3.0"
            },
            {
              "fixed": "11.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:54:52Z",
    "nvd_published_at": "2026-06-25T18:16:41Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on `main` by [pnpm/pnpm#12303](https://github.com/pnpm/pnpm/pull/12303), merged as `65443f4bdf1f0db9c8c7dc58fee25252607e9234`.\n\nBefore the fix, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing.\n\n## Security boundary\n\n- Package names and semantic versions are validated before they can influence a local filename.\n- POSIX and Windows path separators are rejected by basename checks.\n- Stage download and tarball summary paths use the same filename helper.\n- The resolved output path must remain an immediate child of the selected download directory.\n- The stage identifier is already constrained to a UUID.\n\n## Exploit replay\n\nBefore `65443f4bdf`, a traversal-bearing manifest version could make the command write outside the selected directory. After the fix, malicious package names fail with `ERR_PNPM_INVALID_PACKAGE_NAME`, malicious versions fail with `ERR_PNPM_INVALID_PACKAGE_VERSION`, no outside file is created, and the download directory remains empty.\n\n## Files changed\n\n- `releasing/commands/src/tarball/safeTarballFilename.ts` validates manifest identity and rejects cross-platform path separators.\n- `releasing/commands/src/stage/download.ts` verifies the resolved destination before writing.\n- `releasing/commands/src/tarball/summarizeTarball.ts` uses the same filename contract.\n- `releasing/commands/test/stage.test.ts` covers traversal through both package name and version.\n- `.changeset/stale-stage-tarballs.md` includes patch bumps for `@pnpm/releasing.commands` and `pnpm`.\n\n## Patch\n\n- Merged PR: https://github.com/pnpm/pnpm/pull/12303\n- Fix commit: `65443f4bdf1f0db9c8c7dc58fee25252607e9234`\n- The private candidate branch was not submitted because it conflicts with and is superseded by the merged fix. The upstream patch is slightly stronger because it covers malicious package names as well as versions.\n\n## Commands run\n\n```text\n$ git diff --check 65443f4bdf^ 65443f4bdf\nPASS\n$ gh pr view 12303 --repo pnpm/pnpm --json state,mergeCommit,statusCheckRollup\nMERGED as 65443f4bdf\n```\n\n## Validation\n\n- Upstream regression coverage rejects traversal through both manifest name and version and verifies that no outside file is created.\n- Compile and lint, dependency audit, Linux Node.js 22/24/26, CodeQL, and zizmor checks passed on the merged public PR.\n- The Windows Node.js 22 full-suite job timed out in the unrelated `pnpm/test/dlx.ts` cache test after 512 other tests passed. The PR was merged by the maintainer; the failure did not involve the staging code.\n- The earlier private candidate\u0027s focused exploit regression, positive control, package compile, ESLint, and `git diff --check` also passed.\n\n## Compatibility\n\nStaging and release commands are TypeScript-only. Pacquet does not expose this command family, so no Rust-side port is required.\n\n## Remaining risk\n\nThe final `fs.writeFile` follows a pre-existing symlink at the exact in-directory output name. That requires separate local filesystem access and is not controllable through the registry manifest traversal described here.\n\n---\nWritten by an agent (Codex, GPT-5).",
  "id": "GHSA-v23m-ccfg-pq9h",
  "modified": "2026-06-26T23:54:52Z",
  "published": "2026-06-26T23:54:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v23m-ccfg-pq9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/pull/12303"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm: `stage download`\u00a0writes outside its destination directory via manifest name/version traversal"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…