Описание
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip's extractAllTo, and (2) The BinaryResolution.prefix field is concatenated into the extraction path without validation, allowing a crafted prefix like ../../evil to redirect extracted files outside targetDir. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.
A flaw was found in pnpm, a package manager. A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. This can occur through malicious ZIP entries containing directory traversal sequences (../) or absolute paths, or by a crafted BinaryResolution.prefix field. An attacker could exploit this to overwrite sensitive files, potentially leading to remote code execution (RCE).
Отчет
This vulnerability is rated Moderate for Red Hat Enterprise Application Platform. A path traversal flaw in pnpm's binary fetcher allows malicious packages to write files outside the intended directory. This could lead to remote code execution if an attacker can provide a specially crafted package.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.keycloak-keycloak-parent | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch.
pnpm is a package manager. Prior to version 10.28.1, a path traversal ...
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Уязвимость сценариев fetching/binary-fetcher/src/index.ts и resolving/resolver-base/src/index.ts менеджера пакетов pnpm, позволяющая нарушителю записывать произвольные файлы
6.5 Medium
CVSS3