关键漏洞信息 漏洞概要 Title: Scoped bin name path traversal allows arbitrary file creation outside node_modules/.bin Published by: zkochan 7 hours ago Vulnerability: GHSA-xpqm-wm3m-f34h Severity: Moderate (6.5/10) CVE ID: CVE-2026-23890 Weakness: CWE-22 影响版本与修复版本 Affected Version: = 10.28.1 漏洞描述 Summary: A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with bypass validation, and after scope normalization, path traversal sequences like remain intact. 漏洞细节 Validation Bypass: Filters in the bin name validation logic bypass validation for command names starting with . Incomplete Normalization: Bin name normalization preserves the path traversal sequence after processing . Exploitation: The normalized name is used directly without path validation. 证明概念 (PoC) 1. Create a malicious npm package with a bin entry . 2. Install this package using . 3. An file appears outside . 影响 Affects all pnpm users who install npm packages. Potentially impacts CI/CD pipelines. Can overwrite configuration, scripts, or other sensitive files. 修复措施 Upgrade pnpm to at least version 10.28.1.