pnpm Path Traversal Vulnerability in directories.bin Field Allows Arbitrary File Permission Modification

A path traversal vulnerability has been identified in pnpm, a package manager, prior to version 10.28.2. When pnpm processes a package's directories.bin field, it uses path.join() without validating that the result remains within the package root. This oversight allows a malicious npm package to specify a bin directory that escapes the package directory, leading to unauthorized modification of file permissions at arbitrary locations. The vulnerability affects Unix, Linux, and macOS systems, while Windows is not impacted.

Impact

Exploitation of this vulnerability allows for arbitrary modification of file permissions, changing them from 600 to 755, which is world-readable. This could be exploited by a malicious npm package to access sensitive information or execute scripts that were not intended to be publicly accessible.

Reproduction

To reproduce this vulnerability, create a malicious npm package that includes a directories.bin field pointing to a location outside the package directory. After publishing this package, install it using pnpm. The installation process will traverse the file system, bypassing the package root validation, and change the permissions of any files in the target location to be world-readable.

Remediation

Users can upgrade to pnpm version 10.28.2 or later, where this vulnerability has been patched.