pnpm Path Traversal Vulnerability in Tarball Extraction on Windows

A path traversal vulnerability has been identified in pnpm, a package manager, prior to version 10.28.1. This vulnerability allows malicious packages to write files outside the package directory on Windows systems. The issue arises because the path normalization process only checks for './' and not for '.\', which is crucial on Windows where backslashes serve as directory separators. As a result, paths like 'foo\..\..\.npmrc' can be used to traverse directories and overwrite files outside the intended location. This vulnerability affects Windows pnpm users and CI/CD pipelines using GitHub Actions Windows runners or Azure DevOps. Exploitation can lead to the unintentional modification of important files such as '.npmrc' or build configuration files.

Impact

Successful exploitation allows for arbitrary file writes outside the package directory, potentially overwriting critical files like '.npmrc' or other configuration files.

Reproduction

To reproduce this vulnerability, create a malicious tarball that includes a file entry with a path traversal sequence using backslashes, such as 'foo\..\..\.npmrc'. This tarball can then be published to a registry or used as a dependency in a project. When 'pnpm install' is executed on a Windows system, the '.npmrc' file will be written outside the package directory, demonstrating the path traversal exploit.

Remediation

Users should update to pnpm version 10.28.1 or later, where this vulnerability has been patched.