CVE-2026-55699
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In pnpm prior to versions 10.34.2 and 11.5.3, a vulnerability was discovered where manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent.
Risk Assessment
An attacker could exploit this vulnerability to delete or overwrite files outside the intended binary directory, potentially leading to privilege escalation or system instability.
Recommendation
Immediately update pnpm to version 10.34.2 or 11.5.3, which contain the fix for this vulnerability.
Original NVD description (English source)
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.

