AIKIDO-2026-11084
enhanced-resolve is vulnerable to Path Traversal
59
Medium Risk
This Affects:
enhanced-resolveTL;DR
The SymlinkPlugin resolver step resolves symlink components and then re-resolves the real filesystem path through downstream plugins including RestrictionsPlugin. When an in-root symlink points outside a configured restrictions root, pre-fix code rejected the real target but still returned the original in-root symlink path as a successful resolve. An attacker who can place symlinks under an allowed directory can bypass path confinement and cause module resolution to succeed for files outside the restricted root. The fix treats the symlink-resolved real path as authoritative and stops resolution when that path is rejected instead of falling back to the unresolved symlink path.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
enhanced-resolve is vulnerable to Path Traversal in versions 4.2.0 - 5.22.0.
How to fix this
Upgrade the enhanced-resolve library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant