pnpm Path Traversal Vulnerability in Binary Fetcher Allows Arbitrary File Write

A path traversal vulnerability has been identified in pnpm's binary fetcher, prior to version 10.28.1. This vulnerability allows malicious packages to write files outside the intended extraction directory. It arises from unvalidated ZIP entry paths and the improper handling of the 'BinaryResolution.prefix' field, which can be exploited to redirect extracted files to unintended locations. The issue affects all pnpm users who install packages with binary assets, those who configure custom Node.js binary locations, and CI/CD pipelines that automatically install binary dependencies. Exploitation of this vulnerability could lead to the overwriting of configuration files, scripts, or other sensitive files, potentially allowing for remote code execution.

Impact

Exploitation of this vulnerability could result in arbitrary file writes, bypassing normal directory restrictions. This could be used to overwrite sensitive files, such as configuration or script files, leading to potential remote code execution.

Reproduction

The vulnerability can be reproduced by creating a ZIP file with malicious entry paths that include traversal sequences, such as '../../../.npmrc', or absolute paths like '/etc/passwd'. This crafted ZIP can be hosted and then referenced in a package's binary resolution. When pnpm's binary fetcher processes this ZIP, the unvalidated paths will escape the intended extraction directory, writing files to unauthorized locations. After extraction, a verification step can check if the malicious entries were written outside the target directory, confirming the path traversal exploit.

Remediation

Users can update to pnpm version 10.28.1 or later, where this vulnerability has been patched. Instructions for downloading the latest version can be found on the pnpm GitHub releases page.