<Vulnerability name="CVE-2026-50016">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-25T16:53:16</PublicDate>
    <Bugzilla id="2493040" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493040" xml:lang="en:us">
pnpm: pnpm: Arbitrary code execution due to path traversal in dependency aliases
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.0</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause `pnpm install --ignore-scripts` to replace paths in the current project with symlinks to attacker-controlled dependency package directories. This vulnerability is fixed in 10.34.0 and 11.4.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in pnpm, a package manager. This vulnerability allows a malicious registry package to include specially crafted dependency aliases that contain path traversal segments. During the installation process, pnpm incorrectly processes these aliases, which can lead to the replacement of legitimate project paths with symbolic links (symlinks) pointing to directories controlled by an attacker. This could enable an attacker to execute arbitrary code or manipulate project files, severely impacting the integrity and security of the project.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in pnpm, a JavaScript package manager, allows an attacker to achieve arbitrary code execution by publishing a malicious package to a registry. During installation, even with `--ignore-scripts`, specially crafted dependency aliases can lead to path traversal, replacing legitimate project files with symlinks to attacker-controlled directories. This bypasses expected security measures and can compromise the integrity of a project when subsequent commands are executed.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-50016
https://nvd.nist.gov/vuln/detail/CVE-2026-50016
https://github.com/pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496
    </References>
</Vulnerability>