CVE-2026-23889: Pnpm Path Traversal Vulnerability

CVE-2026-23889 Overview

CVE-2026-23889 is a path traversal vulnerability in pnpm, a popular Node.js package manager. Prior to version 10.28.1, the tarball extraction functionality fails to properly normalize Windows-style backslash path separators, allowing malicious packages to write files outside the intended package directory. The path normalization logic only checks for ./ sequences but not .\\, which on Windows systems can be exploited to traverse directories and overwrite arbitrary files.

Critical Impact

Malicious npm packages can overwrite sensitive configuration files such as .npmrc, build configurations, or other critical files on Windows systems, potentially leading to credential theft or supply chain compromise.

Affected Products

• pnpm versions prior to 10.28.1
• Microsoft Windows operating systems
• Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps)

Discovery Timeline

• 2026-01-26 - CVE CVE-2026-23889 published to NVD
• 2026-01-28 - Last updated in NVD database

Technical Details for CVE-2026-23889

Vulnerability Analysis

This path traversal vulnerability (CWE-22) exists in pnpm's tarball extraction functionality. When extracting package tarballs, pnpm attempts to prevent directory traversal attacks by checking for ./ sequences in file paths. However, the implementation fails to account for Windows-specific path separators where backslashes (\) function as directory delimiters. An attacker can craft a malicious tarball containing files with paths like ..\..\.npmrc which bypass the security check but still achieve path traversal on Windows systems.

The vulnerability requires user interaction—specifically, a victim must install a malicious package—and affects file integrity by allowing unauthorized file writes. This makes it particularly dangerous in automated CI/CD environments where packages may be installed without manual review.

Root Cause

The root cause is an incomplete path normalization implementation that only validates forward-slash directory traversal sequences (./) while ignoring Windows-style backslash sequences (.\\). This platform-specific oversight allows malicious tarball entries to escape the intended extraction directory on Windows systems.

Attack Vector

An attacker can exploit this vulnerability by publishing a malicious npm package containing a specially crafted tarball with file entries using backslash-based path traversal sequences. When a Windows user or CI/CD pipeline installs this package using a vulnerable version of pnpm, the malicious files are written outside the package directory. Key targets include:

• .npmrc files containing registry credentials and authentication tokens
• Build configuration files (e.g., package.json, build scripts)
• Source code files that could be modified to inject malicious code

// Security patch from pnpm commit 6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
       }
     }
 
-    if (fileName.includes('./')) {
-      // Bizarre edge case
-      fileName = path.posix.join('/', fileName).slice(1)
+    if (fileName.includes('./') || fileName.includes('.\\')) {
+      // Normalize path traversal attempts (including Windows backslash traversal)
+      // Replaces backslashes with forward slashes and uses POSIX path normalization to resolve ..
+      fileName = path.posix.join('/', fileName.replaceAll('\\', '/')).slice(1)
     }
 
     // Values '\0' and '0' are normal files.

Source: GitHub Commit Details

Detection Methods for CVE-2026-23889

Indicators of Compromise

• Unexpected file modifications outside node_modules directories following package installation
• Modified .npmrc files or build configuration files with unauthorized changes
• Tarball entries containing backslash-based path sequences (..\ or .\\) in package archives

Detection Strategies

• Monitor file system activity during pnpm install operations for writes outside expected directories
• Implement package scanning to detect suspicious path patterns in tarball entries before installation
• Review npm audit logs for packages with unusual file path structures

Monitoring Recommendations

• Enable file integrity monitoring on critical configuration files (.npmrc, package.json, build scripts)
• Configure Windows security auditing to log file creation and modification events in project directories
• Implement alerting for unexpected file system operations originating from Node.js processes

How to Mitigate CVE-2026-23889

Immediate Actions Required

• Upgrade pnpm to version 10.28.1 or later immediately on all Windows systems
• Audit recent package installations on Windows machines for any signs of file system tampering
• Review .npmrc and build configuration files for unauthorized modifications
• Verify registry authentication tokens have not been compromised

Patch Information

The pnpm team has released version 10.28.1 which contains the security fix. The patch modifies the parseTarball.ts file in the store/cafs module to properly normalize both forward-slash and backslash path traversal attempts. The fix replaces backslashes with forward slashes and applies POSIX path normalization to prevent directory escape. For detailed information, see the GitHub Security Advisory GHSA-6x96-7vc8-cm3p and the GitHub Release v10.28.1.

Workarounds

• If immediate upgrade is not possible, consider temporarily switching to Linux-based CI/CD runners
• Implement file system permissions to restrict write access to sensitive configuration directories
• Use package-lock files with integrity checks to detect tampering

# Upgrade pnpm to patched version
npm install -g pnpm@10.28.1

# Verify installed pnpm version
pnpm --version

# Audit existing projects for integrity
pnpm audit