CVE-2026-50015 is a high-severity path traversal vulnerability in pnpm (npm), affecting versions < 10.34.0. It is fixed in 10.34.0, 11.4.0.
Summary pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pnpm install, as the user running the install. The diff --git header paths containing ../../ sequences traverse out of the package directory, and the traversal is difficult to catch in code review because patch file diff headers are opaque to most reviewers. Vulnerability Details During pnpm install, when a patchedDependencies entry is present in pnpm-workspace.yaml, pnpm reads the referenced .patch file and applies it via the embedded @pnpm/patch-package library. The applyPatchToDir function at patching/apply-patch/src/index.ts:12-13 calls process.chdir(opts.patchedDir), setting the working directory to the installed package location deep inside nodemodules/.pnpm/. The patch parser at @pnpm/patch-package/dist/patch/parse.js:88 extracts file paths from diff --git a/(.?) b/(.?) headers using a regex with no path sanitization. The executeEffects function in apply.js then operates on these unsanitized paths: File write (apply.js:35-49): File delete (apply.js:13-22): A path like ../../../../../../../../../../home/user/.ssh/authorizedkeys in the patch header traverses out of the package directory to an arbitrary location. Proof of Concept Impact Arbitrary file write and delete as the user running pnpm install, limited to paths writable by that user. An attacker who submits a PR adding a .patch file and patchedDependencies config can target SSH authorizedkeys, shell configuration, CI/CD files, or other writable files. Patch files may receive less review scrutiny than package.json changes because the ../ traversal sequences are in diff --git headers that look like patch metadata. Suggested Remediation Validate parsed patch file paths against the package root directory. Reject any path that resolves outside the patched package directory via path.resolve + prefix check. Alternatively, sanitize at parse time by rejecting paths containing .. components in parse.js. Discovered by AutoFyn Full audit report: auditreport.md Exploit script: exploit.sh
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-50015 has a CVSS score of 7.3 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (10.34.0, 11.4.0). Upgrading removes the vulnerable code path.
npm
pnpm (< 10.34.0)pnpm (>= 11.0.0, < 11.4.0)pnpm → 10.34.0 (npm)pnpm → 11.4.0 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-50015 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-50015 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-50015 in your environment →Upgrade the following packages to resolve this vulnerability:
pnpm to 10.34.0 or laterpnpm to 11.4.0 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-50015 is a high-severity path traversal vulnerability in pnpm (npm), affecting versions < 10.34.0. It is fixed in 10.34.0, 11.4.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-50015 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pnpm (npm) versions < 10.34.0 is affected.
Yes. CVE-2026-50015 is fixed in 10.34.0, 11.4.0. Upgrade to this version or later.
Whether CVE-2026-50015 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
pnpm to 10.34.0 or laterpnpm to 11.4.0 or later