pnpm: Reserved bin name deletes PNPM_HOME during global remove
🔗 CVE IDs covered (1)
📋 Description
Maintainer Action Plan
This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.
- Advisory:
CAND-PNPM-085/GHSA-4gxm-v5v7-fqc4 - Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4
- Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
- Shared patch branch:
security/ghsa-batch-2026-06-09 - Patch commit:
a93449314f398cf4bdf2e28d033c02d37395ad22 - Base commit:
origin/main55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec - Maintainer priority:
appendix - Component:
pnpm global add/remove bin cleanup - Patch area: bin name/path segment validation
- Affected packages:
npm:pnpm - CWE IDs:
CWE-22,CWE-73 - Conservative CVSS:
6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.
Expected Patched Behavior
Reserved, dot, and path-segment bin names are rejected or ignored; global remove leaves PNPM_HOME and the sentinel file intact.
Files And Tests To Review
bins/resolver/src/index.tsbins/resolver/test/index.tsglobal/commands/test/globalRemove.test.tspacquet/crates/cmd-shim/src/bin_resolver.rspacquet/crates/cmd-shim/src/bin_resolver/tests.rs.changeset/strange-bin-segments.md
Focused Validation
Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.
- Use the private PR checks plus the patched replay coverage matrix for this candidate.
The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-085-patched-result.json.
Title
Reserved manifest bin names can make global package operations delete outside the global bin directory
Description
Summary
Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent.
Details
The vulnerable dataflow was:
bins/resolver/src/index.tsconverted manifestbinobject keys tobinNameand only required URL-safe text or$. Empty, dot, dot-dot, and scoped forms such as@scope/..were not rejected after scope stripping.global/packages/src/scanGlobalPackages.tsscanned installed global package manifests and returned manifest-derivedbin.namevalues.global/commands/src/globalRemove.ts,global/commands/src/globalUpdate.ts, and global add replacement logic joined those names toglobalBinDir.bins/remover/src/removeBins.tsrecursively removed the resulting path.
Install-time checks did not close the gap: bin target paths were package-root checked, conflict checks looked at the same escaped path but did not reject reserved segments, and bin-link warning paths could leave the package installed for later global operations.
PoC
Run:
The script first performs a safe prepatch simulation in a temporary directory:
prepatch_reserved_bin_name=..
prepatch_delete_target=/.../cand-pnpm-085.XXXXXX/home
prepatch_deleted_global_bin_parent=true
It then validates the patched implementation:
./node_modules/.bin/tsgo --build bins/resolver/tsconfig.json
./node_modules/.bin/tsgo --build global/commands/tsconfig.json
./node_modules/.bin/eslint bins/resolver/src/index.ts bins/resolver/test/index.ts global/commands/test/globalRemove.test.ts
cd bins/resolver
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts --runInBand
cd global/commands
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/globalRemove.test.ts -t "global remove ignores reserved manifest bin names" --runInBand
cargo fmt --manifest-path pacquet/crates/cmd-shim/Cargo.toml --check
cargo test --manifest-path pacquet/crates/cmd-shim/Cargo.toml bin_resolver --lib
git diff --check -- bins/resolver global/commands/test/globalRemove.test.ts pacquet/crates/cmd-shim .changeset/strange-bin-segments.md pnpm-lock.yaml
The patched resolver no longer emits reserved bin names, and the global-remove regression proves the deletion sink receives only path.join(globalBinDir, "good").
Impact
Direct confidentiality impact was not validated for this primitive; the sink is deletion/corruption, not a read or disclosure path.
Affected Products
Ecosystem: npm
Package name: pnpm
Affected versions: versions before the patch that accept reserved manifest bin names in TypeScript global package flows.
Patched versions: pending release containing the shared bin-name hardening.
Severity
Corrected vulnerable severity: High
Corrected vulnerable vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Corrected vulnerable score: 8.1
Final post-patch score: 0.0, not vulnerable after patch.
The original scan score was 8.3 with C:H/I:H/A:L. Revalidation removes direct confidentiality impact and raises availability to high because the sink can recursively delete the global bin directory or its parent.
Weaknesses
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CWE-73: External Control of File Name or Path
Patch
bins/resolver/src/index.tsnow rejects empty, dot, and dot-dot bin names after scope stripping.bins/resolver/test/index.tscovers empty, dot, dot-dot, and scoped reserved bin keys.global/commands/test/globalRemove.test.tsproves global remove filters reserved manifest bin names before deletion and only removes a safegoodshim.pacquet/crates/cmd-shim/src/bin_resolver.rsmirrors the same reserved-name rejection; empty names were already rejected.pacquet/crates/cmd-shim/src/bin_resolver/tests.rsextends parity coverage..changeset/strange-bin-segments.mdrecords patch releases for@pnpm/bins.resolver,pnpm, andpacquet.
Pacquet parity is appropriate at the shared bin resolver/linker boundary because pacquet dependency-management commands can resolve and link package bins, even though the TypeScript-only global remove/update/add replacement flow is the concrete destructive-delete sink.
Validation
Passed locally:
The script passed TypeScript builds, ESLint, bins/resolver Jest, global-remove sink Jest, pacquet fmt/tests, and git diff --check.
🎯 Affected products2
- npm/pnpm:< 10.34.2
- npm/pnpm:>= 11.0.0, < 11.5.3