CVE-2026-23888 Overview
CVE-2026-23888 is a path traversal vulnerability in pnpm's binary fetcher that allows malicious packages to write files outside the intended extraction directory. This vulnerability affects the popular Node.js package manager and can be exploited through two distinct attack vectors targeting the ZIP extraction mechanism.
Critical Impact
Attackers can overwrite configuration files, scripts, or other sensitive files, potentially leading to Remote Code Execution (RCE) on affected systems.
Affected Products
- pnpm versions prior to 10.28.1
- All pnpm users who install packages with binary assets
- CI/CD pipelines that auto-install binary dependencies
Discovery Timeline
- 2026-01-26 - CVE-2026-23888 published to NVD
- 2026-01-28 - Last updated in NVD database
Technical Details for CVE-2026-23888
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in pnpm's binary fetcher component, which handles the extraction of binary assets from package archives. The vulnerability enables malicious packages to escape the intended extraction directory and write files to arbitrary locations on the filesystem.
The flaw impacts organizations running development environments and CI/CD pipelines where pnpm automatically installs package dependencies. When a malicious package is installed, it can overwrite critical system files, inject malicious code into existing scripts, or compromise configuration files—all of which can lead to full system compromise.
Root Cause
The root cause lies in insufficient path validation during ZIP archive extraction. The vulnerability manifests through two specific weaknesses:
AdmZip Extraction Flaw: The extractAllTo method from AdmZip does not properly sanitize ZIP entries containing path traversal sequences like ../ or absolute paths, allowing files to escape the extraction root directory.
Unsanitized Prefix Concatenation: The BinaryResolution.prefix field is directly concatenated into the extraction path without validation. A crafted prefix value such as ../../evil can redirect extracted files outside the intended targetDir.
Attack Vector
The attack is network-based and requires user interaction—specifically, a victim must install a malicious package containing crafted ZIP archives. An attacker would publish a package to a registry (public or private) with specially crafted binary assets. When a user runs pnpm install on a project depending on this malicious package, the path traversal payload executes, writing files to attacker-controlled locations.
The security patch introduces the is-subdir library to validate that all extracted file paths remain within the intended target directory:
import { type BinaryFetcher, type FetchFunction, type FetchResult } from '@pnpm/fetcher-base'
import { addFilesFromDir } from '@pnpm/worker'
import AdmZip from 'adm-zip'
+import isSubdir from 'is-subdir'
import renameOverwrite from 'rename-overwrite'
import tempy from 'tempy'
import ssri from 'ssri'
Source: GitHub Commit 5c382f0
The patch also includes test fixtures to verify path traversal protection, demonstrating proper ZIP file creation with sanitized paths:
+/**
+ * Script to generate malicious ZIP fixtures for path traversal testing.
+ *
+ * AdmZip's addFile() sanitizes paths automatically, so we need to create
+ * raw ZIP files manually to test path traversal protection.
+ *
+ * Run with: node --experimental-strip-types scripts/create-fixtures.ts
+ */
+import fs from 'fs'
+import path from 'path'
+
+/**
+ * Create a minimal ZIP file with a given entry path (not sanitized).
+ * This creates a valid ZIP structure with a single uncompressed file entry.
+ */
+function createZipWithEntry (entryPath: string, content: string): Buffer {
+ const contentBuf = Buffer.from(content)
+
+ // Local file header (30 bytes + filename)
+ const localHeader = Buffer.alloc(30 + entryPath.length)
+ localHeader.writeUInt32LE(0x04034b50, 0) // Local file header signature
+ localHeader.writeUInt16LE(20, 4) // Version needed to extract
+ localHeader.writeUInt16LE(0, 6) // General purpose flags
+ localHeader.writeUInt16LE(0, 8) // Compression method (0 = store)
+ localHeader.writeUInt16LE(0, 10) // Last mod file time
+ localHeader.writeUInt16LE(0, 12) // Last mod file date
+ localHeader.writeUInt32LE(0, 14) // CRC-32 (fake but okay for tests)
+ localHeader.writeUInt32LE(contentBuf.length, 18) // Compressed size
+ localHeader.writeUInt32LE(contentBuf.length, 22) // Uncompressed size
+ localHeader.writeUInt16LE(entryPath.length, 26) // Filename length
Source: GitHub Commit 5c382f0
Detection Methods for CVE-2026-23888
Indicators of Compromise
- Unexpected file modifications outside of node_modules directories during package installation
- Modified configuration files (.bashrc, .npmrc, .gitconfig) with unauthorized content
- New or altered executable scripts in system paths or project root directories
- Package installations containing ZIP entries with ../ sequences or absolute paths
Detection Strategies
- Implement file integrity monitoring (FIM) on critical configuration files and scripts during CI/CD pipeline execution
- Monitor pnpm installation logs for unusual extraction paths or error messages related to file operations
- Audit installed packages for suspicious binary or optionalDependencies entries pointing to untrusted sources
- Use SentinelOne's Singularity platform to detect anomalous file write operations during package manager processes
Monitoring Recommendations
- Enable verbose logging for pnpm operations in development and CI/CD environments using pnpm --loglevel debug
- Configure alerts for file creation or modification events outside expected directories during npm/pnpm processes
- Implement package allowlisting to restrict installation of packages with binary dependencies to vetted sources only
How to Mitigate CVE-2026-23888
Immediate Actions Required
- Upgrade pnpm to version 10.28.1 or later immediately across all development environments and CI/CD pipelines
- Audit recently installed packages with binary dependencies for signs of compromise
- Review file integrity of configuration files and scripts in affected systems
- Consider temporarily disabling automatic binary dependency installation until patched
Patch Information
The vulnerability has been patched in pnpm version 10.28.1. The fix introduces proper path validation using the is-subdir library to ensure all extracted files remain within the intended target directory. Organizations should upgrade immediately by running:
npm install -g pnpm@10.28.1
For detailed patch information, see the GitHub Security Advisory GHSA-6pfh-p556-v868 and the release notes for version 10.28.1.
Workarounds
- Use package lockfiles (pnpm-lock.yaml) with integrity checks to prevent installation of tampered packages
- Configure pnpm to use a private registry with package vetting and scanning enabled
- Implement network isolation for package installations to limit the impact of potential compromises
- Consider using --ignore-scripts flag to prevent post-install scripts from executing until packages are verified
# Upgrade pnpm to the patched version
npm install -g pnpm@10.28.1
# Verify installed version
pnpm --version
# Alternative: Use corepack to manage pnpm version
corepack prepare pnpm@10.28.1 --activate
# Run installations with script safety (temporary workaround)
pnpm install --ignore-scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
