{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.474Z", "datePublished": "2026-01-26T22:03:33.808Z", "dateUpdated": "2026-01-27T21:37:51.868Z"}, "containers": {"cna": {"title": "pnpm has Path Traversal via arbitrary file permission modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"}, {"name": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"}, {"name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.28.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:03:33.808Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "source": {"advisory": "GHSA-v253-rj99-jwpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:37:39.852167Z", "id": "CVE-2026-24131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:37:51.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:37:39.852167Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:37:44.487Z"}}], "cna": {"title": "pnpm has Path Traversal via arbitrary file permission modification", "source": {"advisory": "GHSA-v253-rj99-jwpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.28.2"}]}], "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "name": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "name": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:03:33.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24131", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:37:51.868Z", "dateReserved": "2026-01-21T18:38:22.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T22:03:33.808Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BA06266E-E70F-4B2B-AA69-7482EEE8A7A0", "versionEndExcluding": "10.28.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch."}], "id": "CVE-2026-24131", "lastModified": "2026-01-28T17:05:46.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:56.830", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm: Arbitrary file permission modification via directory traversal", "id": "2433115", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433115"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "(CWE-22|CWE-732)", "details": ["A flaw was found in pnpm, a package manager. When pnpm processes the `directories.bin` field of a package, it fails to properly validate the path, allowing a malicious npm package to specify a crafted path. This directory traversal vulnerability enables the package to escape its intended directory and modify file permissions (chmod 755) at arbitrary locations on the system. This issue primarily affects Unix, Linux, and macOS operating systems."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that only trusted npm packages are used with `pnpm`. Avoid installing packages from untrusted or unverified sources to prevent the processing of malicious package `directories.bin` fields."}, "name": "CVE-2026-24131", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-26T22:03:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24131\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24131\nhttps://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943\nhttps://github.com/pnpm/pnpm/releases/tag/v10.28.2\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq"], "statement": "This vulnerability is rated Moderate for Red Hat products as it allows a malicious npm package to perform path traversal, leading to arbitrary file permission modification (chmod 755) outside the intended package directory. This issue affects systems running pnpm on Unix/Linux-based Red Hat environments when processing untrusted npm packages.", "threat_severity": "Moderate"}