CVE-2026-23889 Overview
CVE-2026-23889 is a path traversal vulnerability in pnpm, a popular Node.js package manager. Prior to version 10.28.1, the tarball extraction functionality fails to properly normalize Windows-style backslash path separators, allowing malicious packages to write files outside the intended package directory. The path normalization logic only checks for ./ sequences but not .\\, which on Windows systems can be exploited to traverse directories and overwrite arbitrary files.
Critical Impact
Malicious npm packages can overwrite sensitive configuration files such as .npmrc, build configurations, or other critical files on Windows systems, potentially leading to credential theft or supply chain compromise.
Affected Products
- pnpm versions prior to 10.28.1
- Microsoft Windows operating systems
- Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps)
Discovery Timeline
- 2026-01-26 - CVE CVE-2026-23889 published to NVD
- 2026-01-28 - Last updated in NVD database
Technical Details for CVE-2026-23889
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in pnpm's tarball extraction functionality. When extracting package tarballs, pnpm attempts to prevent directory traversal attacks by checking for ./ sequences in file paths. However, the implementation fails to account for Windows-specific path separators where backslashes (\) function as directory delimiters. An attacker can craft a malicious tarball containing files with paths like ..\..\.npmrc which bypass the security check but still achieve path traversal on Windows systems.
The vulnerability requires user interaction—specifically, a victim must install a malicious package—and affects file integrity by allowing unauthorized file writes. This makes it particularly dangerous in automated CI/CD environments where packages may be installed without manual review.
Root Cause
The root cause is an incomplete path normalization implementation that only validates forward-slash directory traversal sequences (./) while ignoring Windows-style backslash sequences (.\\). This platform-specific oversight allows malicious tarball entries to escape the intended extraction directory on Windows systems.
Attack Vector
An attacker can exploit this vulnerability by publishing a malicious npm package containing a specially crafted tarball with file entries using backslash-based path traversal sequences. When a Windows user or CI/CD pipeline installs this package using a vulnerable version of pnpm, the malicious files are written outside the package directory. Key targets include:
- .npmrc files containing registry credentials and authentication tokens
- Build configuration files (e.g., package.json, build scripts)
- Source code files that could be modified to inject malicious code
// Security patch from pnpm commit 6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
}
}
- if (fileName.includes('./')) {
- // Bizarre edge case
- fileName = path.posix.join('/', fileName).slice(1)
+ if (fileName.includes('./') || fileName.includes('.\\')) {
+ // Normalize path traversal attempts (including Windows backslash traversal)
+ // Replaces backslashes with forward slashes and uses POSIX path normalization to resolve ..
+ fileName = path.posix.join('/', fileName.replaceAll('\\', '/')).slice(1)
}
// Values '\0' and '0' are normal files.
Source: GitHub Commit Details
Detection Methods for CVE-2026-23889
Indicators of Compromise
- Unexpected file modifications outside node_modules directories following package installation
- Modified .npmrc files or build configuration files with unauthorized changes
- Tarball entries containing backslash-based path sequences (..\ or .\\) in package archives
Detection Strategies
- Monitor file system activity during pnpm install operations for writes outside expected directories
- Implement package scanning to detect suspicious path patterns in tarball entries before installation
- Review npm audit logs for packages with unusual file path structures
Monitoring Recommendations
- Enable file integrity monitoring on critical configuration files (.npmrc, package.json, build scripts)
- Configure Windows security auditing to log file creation and modification events in project directories
- Implement alerting for unexpected file system operations originating from Node.js processes
How to Mitigate CVE-2026-23889
Immediate Actions Required
- Upgrade pnpm to version 10.28.1 or later immediately on all Windows systems
- Audit recent package installations on Windows machines for any signs of file system tampering
- Review .npmrc and build configuration files for unauthorized modifications
- Verify registry authentication tokens have not been compromised
Patch Information
The pnpm team has released version 10.28.1 which contains the security fix. The patch modifies the parseTarball.ts file in the store/cafs module to properly normalize both forward-slash and backslash path traversal attempts. The fix replaces backslashes with forward slashes and applies POSIX path normalization to prevent directory escape. For detailed information, see the GitHub Security Advisory GHSA-6x96-7vc8-cm3p and the GitHub Release v10.28.1.
Workarounds
- If immediate upgrade is not possible, consider temporarily switching to Linux-based CI/CD runners
- Implement file system permissions to restrict write access to sensitive configuration directories
- Use package-lock files with integrity checks to detect tampering
# Upgrade pnpm to patched version
npm install -g pnpm@10.28.1
# Verify installed pnpm version
pnpm --version
# Audit existing projects for integrity
pnpm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
