Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Vulnerability Description
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Vulnerability Type
相对路径遍历
Vulnerability Title
pnpm 安全漏洞
Vulnerability Description
pnpm是pnpm开源的一个包管理器。 pnpm 10.28.1之前版本存在安全漏洞,该漏洞源于二进制链接存在路径遍历,可能导致恶意npm包在node_modules/.bin外创建可执行文件或符号链接。
CVSS Information
N/A
Vulnerability Type
N/A