CVE-2026-50015
Last modified
CVE-2026-50015 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. This vulnerability is fixed in 10.34.0 and 11.4.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Weakness Enumeration
References
Timeline
- Published
- Last Modified
- Status
- Undergoing Analysis
Frequently Asked Questions
What is CVE-2026-50015?
How severe is CVE-2026-50015?
How do I fix CVE-2026-50015?
Are you affected by CVE-2026-50015?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST