CVE-2026-50016
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
pnpm before versions 10.34.0 and 11.4.0 allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm uses that alias as a filesystem path when linking dependency nodes, enabling an attacker to replace paths in the current project with symlinks to attacker-controlled directories.
Risk Assessment
An attacker can publish a malicious package to the registry that, during installation (even with --ignore-scripts), replaces existing project files or directories with symlinks, leading to project compromise or data exfiltration.
Recommendation
Upgrade pnpm to version 10.34.0 or 11.4.0 immediately, which fix the path traversal vulnerability via dependency aliases.
Original NVD description (English source)
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.

