CVE-2026-55699

Summary

<details> <summary>Maintainer Action Plan</summary> Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. Advisory: CAND-PNPM-085 / GHSA-4gxm-v5v7-fqc4 Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4 Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1 Shared patch branch: security/ghsa-batch-2026-06-09 Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22 Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec Maintainer priority: appendix Component: pnpm global add/remove bin cleanup Patch area: bin name/path segment validation Affected packages: npm:pnpm CWE IDs: CWE-22, CWE-73 Conservative CVSS: 6.5 / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory. Expected Patched Behavior Reserved, dot, and path-segment bin names are rejected or ignored; global remove leaves PNPMHOME and the sentinel file intact. Files And Tests To Review bins/resolver/src/index.ts bins/resolver/test/index.ts global/commands/test/globalRemove.test.ts pacquet/crates/cmd-shim/src/binresolver.rs pacquet/crates/cmd-shim/src/binresolver/tests.rs .changeset/strange-bin-segments.md Focused Validation Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed. Use the private PR checks plus the patched replay coverage matrix for this candidate. The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-085-patched-result.json. <!-- maintainer-action:end --> Title Reserved manifest bin names can make global package operations delete outside the global bin directory </details> Description Summary Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent. Details The vulnerable dataflow was: bins/resolver/src/index.ts converted manifest bin object keys to binName and only required URL-safe text or $. Empty, dot, dot-dot, and scoped forms such as @scope/.. were not rejected after scope stripping. global/packages/src/scanGlobalPackages.ts scanned installed global package manifests and returned manifest-derived bin.name values. global/commands/src/globalRemove.ts, global/commands/src/globalUpdate.ts, and global add replacement logic joined those names to globalBinDir. bins/remover/src/removeBins.ts recursively removed the resulting path. Install-time checks did not close the gap: bin target paths were package-root checked, conflict checks looked at the same escaped path but did not reject reserved segments, and bin-link warning paths could leave the package installed for later global operations. PoC Run: The script first performs a safe prepatch simulation in a temporary directory: It then validates the patched implementation: The patched resolver no longer emits reserved bin names, and the global-remove regression proves the deletion sink receives only path.join(globalBinDir, "good"). Impact Direct confidentiality impact was not validated for this primitive; the sink is deletion/corruption, not a read or disclosure path. Affected Products Ecosystem: npm Package name: pnpm Affected versions: versions before the patch that accept reserved manifest bin names in TypeScript global package flows. Patched versions: pending release containing the shared bin-name hardening. Severity Corrected vulnerable severity: High Corrected vulnerable vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Corrected vulnerable score: 8.1 Final post-patch score: 0.0, not vulnerable after patch. The original scan score was 8.3 with C:H/I:H/A:L. Revalidation removes direct confidentiality impact and raises availability to high because the sink can recursively delete the global bin directory or its parent. Weaknesses CWE-22: Improper Limitation of a Pathname to a Restricted Directory CWE-73: External Control of File Name or Path Patch bins/resolver/src/index.ts now rejects empty, dot, and dot-dot bin names after scope stripping. bins/resolver/test/index.ts covers empty, dot, dot-dot, and scoped reserved bin keys. global/commands/test/globalRemove.test.ts proves global remove filters reserved manifest bin names before deletion and only removes a safe good shim. pacquet/crates/cmd-shim/src/binresolver.rs mirrors the same reserved-name rejection; empty names were already rejected. pacquet/crates/cmd-shim/src/bin_resolver/tests.rs extends parity coverage. .changeset/strange-bin-segments.md records patch releases for @pnpm/bins.resolver, pnpm, and pacquet. Pacquet parity is appropriate at the shared bin resolver/linker boundary because pacquet dependency-management commands can resolve and link package bins, even though the TypeScript-only global remove/update/add replacement flow is the concrete destructive-delete sink. Validation Passed locally: The script passed TypeScript builds, ESLint, bins/resolver Jest, global-remove sink Jest, pacquet fmt/tests, and git diff --check.

Impact

Affected versions

Security releases

Remediation advice