<Vulnerability name="CVE-2026-55699">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-25T16:44:32</PublicDate>
    <Bugzilla id="2493036" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493036" xml:lang="en:us">
pnpm: pnpm: Denial of Service due to improper handling of malicious package manifest bin keys
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. This vulnerability is fixed in 10.34.2 and 11.5.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in pnpm, a package manager. When a malicious package with specially crafted manifest bin object keys (such as "." or "..") is installed globally, subsequent package management operations like removal, update, or replacement could lead to the deletion of critical directories. This could allow an attacker to cause a Denial of Service (DoS) by targeting the global bin directory or its parent.
    </Details>
    <Statement xml:lang="en:us">
This Moderate severity flaw in pnpm, a package manager, could lead to a Denial of Service. When a malicious package with specially crafted manifest bin object keys is installed globally, subsequent package management operations can inadvertently delete critical system directories, including the global bin directory or its parent. This requires an attacker to first trick a user into installing a malicious package globally, limiting the immediate exploitability in typical Red Hat deployments.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, users should avoid installing pnpm packages from untrusted sources globally. Exercise caution and verify the integrity of packages before global installation to prevent the introduction of malicious manifest bin keys.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55699
https://nvd.nist.gov/vuln/detail/CVE-2026-55699
https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4
    </References>
</Vulnerability>