Skip to content

pnpm: `patch-remove` could delete project-selected files outside the patches directory

High severity GitHub Reviewed Published Jun 22, 2026 in pnpm/pnpm • Updated Jun 27, 2026

Package

pnpm (npm)

Affected versions

< 10.34.4
>= 11.0.0, < 11.7.0

Patched versions

10.34.4
11.7.0

Description

Summary

The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm.

A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it.

Security boundary

  • Traversal and absolute paths that resolve outside the configured patches directory are rejected before deletion.
  • Parent directories are canonicalized before deletion, including the case where a nested symlink points outside and the final outside entry is itself dangling.
  • The complete batch is validated before any file is removed.
  • Component-aware predicates accept valid names beginning with .. while still rejecting parent traversal, Windows drive escapes, and UNC escapes.
  • Valid files and symlinked patch directories whose canonical targets remain below the lockfile directory continue to work.
  • A final symlink inside a valid patch directory is unlinked without following its target, including when the target is outside or dangling.

Exploit replay

Before the patch, a workspace patchedDependencies path that resolved outside the project caused pnpm patch-remove to delete the external sentinel. A second replay used a nested parent symlink and a dangling outside victim: realpath() returned ENOENT, yet the victim was still removed. With this patch, both paths are rejected and the outside entries remain intact.

Files changed

  • patching/commands/src/isSubdirectory.ts performs component-aware containment checks.
  • patching/commands/src/patchRemove.ts validates the full batch, canonicalizes parents, and unlinks final entries without following them.
  • patching/commands/test/{isSubdirectory,patchRemove}.test.ts covers traversal, nested symlinks, dangling victims, and valid removals.

Commands run

$ pnpm --filter @pnpm/patching.commands test test/isSubdirectory.test.ts test/patchRemove.test.ts
PASS: 11 tests across 2 suites
$ pnpm --filter @pnpm/patching.commands run compile
PASS
$ git diff --check
PASS

Validation

  • Focused handler and path-predicate suites: 11 passed across 2 suites.
  • Package-wide ESLint: passed.
  • Package TypeScript build: passed.
  • Commit hooks, Commitlint, and git diff --check: passed.
  • The broader integration harness was environment-blocked because it writes outside the available temporary root; focused handler tests used /private/tmp.

Patches

10.34.4: pnpm/pnpm@352ae48
11.7.0: pnpm/pnpm@612a2e6

Compatibility

Missing patch files remain no-ops. Valid symlinked patch directories continue to work when their canonical target stays inside the lockfile directory, and final symlinks are removed without touching their targets. patch-remove is not yet in pacquet's command surface, so no Rust-side parity change is required.

Remaining risk

Portable Node APIs do not expose directory-fd-relative unlinkat(). A local attacker who can replace an already validated parent directory before the unlink may still win a time-of-check/time-of-use race. The reproduced repository-controlled traversal and symlink paths do not require that concurrent capability and are blocked by this patch.


Written by an agent (Codex, GPT-5).

References

@zkochan zkochan published to pnpm/pnpm Jun 22, 2026
Published to the GitHub Advisory Database Jun 27, 2026
Reviewed Jun 27, 2026
Last updated Jun 27, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-72r4-9c5j-mj57

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.