pnpm, Path Traversal, Critical Vulnerability (CVE-2024-50376)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the binary fetching and extraction logic of pnpm. Attack Vector 1: When extracting downloaded ZIP files (e.g., Node.js binaries), pnpm uses the `AdmZip` library’s `extractAllTo` method. This method does not validate or sanitize paths of entries within the ZIP archive. A malicious archive containing entries with absolute paths or paths including `../` sequences (like ../../../.npmrc) will have those files written outside the intended extraction directory (nodeDir), enabling arbitrary file write. Attack Vector 2: The `BinaryResolution.prefix` field from a package’s resolution definition is directly concatenated into the file system path via `path.join(nodeDir, basename)` without validation. An attacker controlling this field (e.g., via a malicious package or registry) can set `prefix` to a path like ../../evil, causing extracted files to be written to an arbitrary location outside the targetDir.
Platform: pnpm
Version: <9.15.0
Vulnerability: Path Traversal
Severity: Critical
date: 2025-04-24

Prediction: Patch expected 2025-05-01

What Undercode Say:

$ pnpm install malicious-pkg

Code from fetching/binary-fetcher/src/index.ts

zip.extractAllTo(nodeDir, true);

Code from resolving/resolver-base/src/index.ts

const extractedDir = path.join(nodeDir, basename);

Exploit:

import zipfile

zf.writestr(‘../../../.npmrc’, …)

{

“prefix”: “../../PWNED”

}

Protection from this CVE

Update pnpm >=9.15.0.

Sanitize archive paths.

Validate `BinaryResolution.prefix`.

Impact:

Arbitrary File Write

Potential RCE

CI/CD Compromise

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top