Listen to this Post
How CVE-2026-55699 Works
This vulnerability resides in pnpm’s global package management flow, specifically within the validation of binary (bin) names defined in package manifests. The core issue is that pnpm failed to properly sanitize certain reserved path segments—namely empty strings (""), current directory references ("."), and parent directory references ("..")—when these were used as keys in a package’s `bin` object.
The vulnerable data flow begins in the `bins/resolver` component, which converts manifest `bin` object keys into `binName` values. This resolver only required URL-safe text or the `$` character, meaning it did not reject empty, dot, or dot-dot names. Consequently, a malicious package installed globally could have a `bin` object containing these reserved names.
Later, when a user performed a global operation like pnpm remove, pnpm update, or an add-replacement flow, the `scanGlobalPackages.ts` component would read the installed package’s manifest and return these unsafe `bin.name` values. The globalRemove.ts, globalUpdate.ts, and other global commands would then join these names to the global binary directory path using path.join(globalBinDir, binName). This path was then passed to removeBins.ts, which recursively deleted the resulting directory.
For a `”.”` bin name, this would target the global bin directory itself (e.g., PNPM_HOME). For a `”..”` bin name, it would target the parent directory of the global bin directory. This meant that legitimate global management operations could inadvertently delete critical directories outside the intended scope, leading to a denial of service or system instability.
DailyCVE Form
Platform: pnpm (npm)
Version: < 10.34.2, < 11.5.3
Vulnerability: Path Traversal (CWE-22, CWE-73)
Severity: High (CVSS 8.1)
Date: 2026-06-26
Prediction: Patch released 2026-06-25
What Undercode Say: Analytics
The following commands and code snippets are derived from the official patch and validation process for this vulnerability.
Patch Validation Commands
Run these from a checkout of the shared patch branch to validate the fix:
Build the resolver and global commands ./node_modules/.bin/tsgo --build bins/resolver/tsconfig.json ./node_modules/.bin/tsgo --build global/commands/tsconfig.json Lint the affected files ./node_modules/.bin/eslint bins/resolver/src/index.ts bins/resolver/test/index.ts global/commands/test/globalRemove.test.ts Run resolver tests cd bins/resolver NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts --runInBand Run global-remove regression test cd global/commands NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/globalRemove.test.ts -t "global remove ignores reserved manifest bin names" --runInBand Check Rust parity implementation cargo fmt --manifest-path pacquet/crates/cmd-shim/Cargo.toml --check cargo test --manifest-path pacquet/crates/cmd-shim/Cargo.toml bin_resolver --lib Final diff check git diff --check -- bins/resolver global/commands/test/globalRemove.test.ts pacquet/crates/cmd-shim .changeset/strange-bin-segments.md pnpm-lock.yaml
Key Code Changes
The core fix in `bins/resolver/src/index.ts` now rejects empty, dot, and dot-dot bin names after scope stripping. The `pacquet/crates/cmd-shim/src/bin_resolver.rs` mirrors this rejection for parity.
Exploit: How to Trigger
A successful exploit requires user interaction, as an attacker must trick a user into installing a malicious package globally.
1. Craft Malicious Package: An attacker creates an npm package with a `package.json` manifest containing a `bin` object with a reserved key, such as:
{
"name": "malicious-package",
"version": "1.0.0",
"bin": {
"..": "./script.js"
}
}
2. Global Installation: The victim installs this package globally using pnpm add -g malicious-package. The installation succeeds because the unsafe bin name is not rejected at install time.
3. Trigger Deletion: The victim later runs a global management command, such as `pnpm remove -g malicious-package` or pnpm update -g.
4. Path Traversal: The `globalRemove` flow reads the manifest, retrieves the `”..”` bin name, and calls path.join(globalBinDir, ".."), which resolves to the parent directory of PNPM_HOME.
5. Recursive Deletion: The `removeBins` function recursively deletes this parent directory, leading to significant data loss or system instability.
Protection: Mitigation Strategies
The primary and most effective protection is to upgrade pnpm to a patched version.
– Immediate Action: Upgrade to pnpm version 10.34.2 or 11.5.3 or later.
– Verification: After upgrading, verify the fix by attempting to install a package with a reserved bin name; it should be rejected.
– Alternative (Not Recommended): As a temporary workaround, avoid using `pnpm` for global package management until an upgrade is possible. However, this is not a complete solution as it limits functionality.
Impact
- Confidentiality: No direct impact. The vulnerability is a deletion/corruption primitive, not a read or disclosure path.
- Integrity: High. An attacker could cause the deletion of critical system files or directories, corrupting the environment.
- Availability: High. Recursively deleting the global bin directory or its parent can render the system or the pnpm installation inoperable, leading to a denial of service.
- CVSS Score: 8.1 (High). The corrected vector string is
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
