AIKIDO-2026-242498
pnpm is vulnerable to Path Traversal
38
Low Risk
This Affects:
pnpmTL;DR
When pnpm installs with the hoisted node linker, it rebuilds the dependency graph from the lockfile and joins each dependency alias directly under a node_modules directory. On an up-to-date or frozen lockfile the resolution step is skipped, so alias validation never runs and a crafted alias is used as a raw path component. A malicious lockfile alias containing path-traversal segments can escape the install root, and reserved aliases such as .bin, .pnpm, or node_modules can overwrite pnpm-owned layout, letting package files land outside the intended directory. The fix validates every alias at the directory sink and adds an always-on lockfile verification gate that rejects invalid dependency aliases before any fetch or filesystem work.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pnpm is vulnerable to Path Traversal in versions 6.25.0 - 11.6.0.
How to fix this
Upgrade the pnpm library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant