2 matches found
pnpm has Windows-specific tarball Path Traversal
Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for ./ but not .. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability...
PT-2026-4824
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.28.1 Description A path traversal flaw exists in pnpm's tarball extraction process on Windows systems. The vulnerability stems from incomplete path normalization, specifically failing to account for . in addition to ....