CVE-2026-50015
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in pnpm package manager prior to versions 10.34.0 and 11.4.0 allows an attacker to write or delete arbitrary files on the filesystem during pnpm install. The issue stems from missing path validation in .patch files, enabling the use of ../ sequences to escape the package directory.
Risk Assessment
An attacker can compromise the victim's filesystem by overwriting critical configuration files or deleting data, leading to system integrity violation and potential application takeover.
Recommendation
Immediately upgrade pnpm to version 10.34.0 or 11.4.0, which contain the fix. Before upgrading, review all .patch files in repositories for suspicious path sequences.
Original NVD description (English source)
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.

