pnpm Symlink Traversal Vulnerability in File and Git Dependencies Allows Local Data Leakage

A symlink traversal vulnerability has been identified in pnpm, a package manager, prior to version 10.28.2. This issue occurs when pnpm installs dependencies from 'file:' (directory) or 'git:' sources. The vulnerability arises because pnpm follows symlinks and reads the contents of their targets without ensuring they are within the package root. As a result, a malicious package could create a symlink to an absolute path, such as '/etc/passwd' or '~/.ssh/id_rsa', causing pnpm to copy the file's contents into the 'node_modules' directory, thereby leaking local data. This vulnerability specifically impacts developers installing local or file dependencies, as well as CI/CD pipelines that incorporate git dependencies. It can lead to the unauthorized access of sensitive information, such as AWS credentials, npm configuration files, or SSH private keys.

Impact

Exploitation of this vulnerability results in the unintentional disclosure of local files, including sensitive information such as AWS credentials, npm configuration files, or SSH private keys, into the 'node_modules' directory of the affected project.

Reproduction

To reproduce this vulnerability, create a malicious npm package that includes a symlink pointing to a sensitive file, such as '/etc/passwd' or '~/.ssh/id_rsa'. Once the package is created, install it using pnpm in a directory that does not contain the sensitive file. After the installation, the contents of the linked file will be available in the 'node_modules' directory, demonstrating the data leakage.

Remediation

Users can upgrade to pnpm version 10.28.2 or later, where this vulnerability has been patched.