CVE-2026-24131 Overview
CVE-2026-24131 is a Path Traversal vulnerability in pnpm, a popular package manager for Node.js. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join() without validating that the result stays within the package root. A malicious npm package can specify "directories": {"bin": "../../../../tmp"} to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations on the filesystem.
Critical Impact
This vulnerability allows attackers to modify file permissions at arbitrary filesystem locations through malicious npm packages, potentially leading to privilege escalation or security control bypass on Unix/Linux/macOS systems.
Affected Products
- pnpm versions prior to 10.28.2 on Unix/Linux/macOS
- Node.js environments using vulnerable pnpm versions
- CI/CD pipelines and build systems utilizing pnpm
Discovery Timeline
- 2026-01-26 - CVE CVE-2026-24131 published to NVD
- 2026-01-28 - Last updated in NVD database
Technical Details for CVE-2026-24131
Vulnerability Analysis
The vulnerability stems from insufficient path validation in pnpm's handling of the directories.bin field within package manifests. When processing a package, pnpm reads the directories.bin configuration to locate executable scripts that should be linked into the project's bin directory. The package manager uses path.join() to combine the package path with the specified bin directory, but fails to verify that the resulting path remains within the package's directory structure.
This oversight allows an attacker to craft a malicious npm package with a directories.bin value containing path traversal sequences (e.g., ../../../../tmp). When this package is installed, pnpm follows the manipulated path and applies chmod 755 permissions to files outside the package boundary, potentially affecting system-critical files or directories.
The vulnerability specifically affects the fixBin functionality, which is gated by EXECUTABLE_SHEBANG_SUPPORTED and only applies to Unix-like operating systems. Windows systems are not affected by this issue.
Root Cause
The root cause is improper input validation (CWE-22: Path Traversal) in the pkg-manager/package-bins/src/index.ts file. The code failed to implement a path containment check using a function like isSubdir() to ensure that the resolved binDir path remains within the pkgPath boundary before proceeding with file operations.
Attack Vector
An attacker can exploit this vulnerability by publishing a malicious npm package to a public or private registry. The attack requires:
- Creating a package with a malicious directories.bin field containing path traversal sequences
- Having a victim install the package using a vulnerable version of pnpm
- The fixBin operation then applies chmod 755 to files at attacker-controlled locations
This is a local attack vector requiring user interaction (package installation), but it can be weaponized through supply chain attacks or typosquatting.
// Security patch from pkg-manager/package-bins/src/index.ts
}
if (manifest.directories?.bin) {
const binDir = path.join(pkgPath, manifest.directories.bin)
+ // Validate: directories.bin must be within the package root
+ if (!isSubdir(pkgPath, binDir)) {
+ return []
+ }
const files = await findFiles(binDir)
return files.map((file) => ({
name: path.basename(file),
Source: GitHub Commit
Detection Methods for CVE-2026-24131
Indicators of Compromise
- Package manifests containing directories.bin values with .. path traversal sequences
- Unexpected chmod operations on files outside of node_modules directories
- File permission changes in /tmp, system directories, or other sensitive locations following pnpm operations
Detection Strategies
- Monitor pnpm installation logs for packages with suspicious directories.bin configurations
- Implement file integrity monitoring on critical system directories to detect unauthorized permission changes
- Use software composition analysis (SCA) tools to identify vulnerable pnpm versions in your environment
- Audit package.json files in dependencies for path traversal patterns in the directories field
Monitoring Recommendations
- Enable verbose logging during pnpm package installations in CI/CD pipelines
- Deploy endpoint detection and response (EDR) solutions to monitor for anomalous chmod system calls
- Implement package provenance verification and lock file integrity checks
- Use SentinelOne Singularity to detect and alert on suspicious file permission modifications
How to Mitigate CVE-2026-24131
Immediate Actions Required
- Upgrade pnpm to version 10.28.2 or later immediately
- Audit recently installed packages for suspicious directories.bin configurations
- Review file permission changes on critical system files following recent pnpm operations
- Consider using pnpm's strict mode and lockfile verification features
Patch Information
The pnpm team has addressed this vulnerability in version 10.28.2. The patch adds path validation using an isSubdir() check to ensure that the resolved directories.bin path remains within the package root before any file operations are performed. Users should upgrade to this version or later to remediate the vulnerability.
For detailed information, refer to the GitHub Security Advisory and the release notes for v10.28.2.
Workarounds
- If immediate upgrade is not possible, manually review package.json files of all dependencies for path traversal patterns
- Implement a pre-install hook script to validate directories.bin values before installation
- Use containerized or sandboxed build environments to limit the impact of potential exploitation
- Consider temporarily switching to alternative package managers until pnpm can be upgraded
# Upgrade pnpm to patched version
npm install -g pnpm@10.28.2
# Verify installed version
pnpm --version
# Audit package dependencies for suspicious configurations
pnpm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
