GHSA-4gxm-v5v7-fqc4

<details> <summary>Maintainer Action Plan</summary>

Maintainer Action Plan

This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.

• Advisory: CAND-PNPM-085 / GHSA-4gxm-v5v7-fqc4
• Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4
• Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
• Shared patch branch: security/ghsa-batch-2026-06-09
• Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22
• Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec
• Maintainer priority: appendix
• Component: pnpm global add/remove bin cleanup
• Patch area: bin name/path segment validation
• Affected packages: npm:pnpm
• CWE IDs: CWE-22, CWE-73
• Conservative CVSS: 6.5 / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
• Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.

Expected Patched Behavior

Reserved, dot, and path-segment bin names are rejected or ignored; global remove leaves PNPM_HOME and the sentinel file intact.

Files And Tests To Review

• bins/resolver/src/index.ts
• bins/resolver/test/index.ts
• global/commands/test/globalRemove.test.ts
• pacquet/crates/cmd-shim/src/bin_resolver.rs
• pacquet/crates/cmd-shim/src/bin_resolver/tests.rs
• .changeset/strange-bin-segments.md

Focused Validation

Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.

• Use the private PR checks plus the patched replay coverage matrix for this candidate.

The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-085-patched-result.json. <!-- maintainer-action:end -->

Title

Reserved manifest bin names can make global package operations delete outside the global bin directory

</details>

Description

Summary

Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent.

Details

The vulnerable dataflow was:

• bins/resolver/src/index.ts converted manifest bin object keys to binName and only required URL-safe text or $. Empty, dot, dot-dot, and scoped forms such as @scope/.. were not rejected after scope stripping.
• global/packages/src/scanGlobalPackages.ts scanned installed global package manifests and returned manifest-derived bin.name values.
• global/commands/src/globalRemove.ts, global/commands/src/globalUpdate.ts, and global add replacement logic joined those names to globalBinDir.
• bins/remover/src/removeBins.ts recursively removed the resulting path.

Install-time checks did not close the gap: bin target paths were package-root checked, conflict checks looked at the same escaped path but did not reject reserved segments, and bin-link warning paths could leave the package installed for later global operations.

PoC

Run:

The script first performs a safe prepatch simulation in a temporary directory:

prepatch_reserved_bin_name=..
prepatch_delete_target=/.../cand-pnpm-085.XXXXXX/home
prepatch_deleted_global_bin_parent=true

It then validates the patched implementation:

./node_modules/.bin/tsgo --build bins/resolver/tsconfig.json
./node_modules/.bin/tsgo --build global/commands/tsconfig.json
./node_modules/.bin/eslint bins/resolver/src/index.ts bins/resolver/test/index.ts global/commands/test/globalRemove.test.ts
cd bins/resolver
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts --runInBand
cd global/commands
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/globalRemove.test.ts -t "global remove ignores reserved manifest bin names" --runInBand
cargo fmt --manifest-path pacquet/crates/cmd-shim/Cargo.toml --check
cargo test --manifest-path pacquet/crates/cmd-shim/Cargo.toml bin_resolver --lib
git diff --check -- bins/resolver global/commands/test/globalRemove.test.ts pacquet/crates/cmd-shim .changeset/strange-bin-segments.md pnpm-lock.yaml

The patched resolver no longer emits reserved bin names, and the global-remove regression proves the deletion sink receives only path.join(globalBinDir, "good").

Impact

Direct confidentiality impact was not validated for this primitive; the sink is deletion/corruption, not a read or disclosure path.

Affected Products

Ecosystem: npm

Package name: pnpm

Affected versions: versions before the patch that accept reserved manifest bin names in TypeScript global package flows.

Patched versions: pending release containing the shared bin-name hardening.

Severity

Corrected vulnerable severity: High

Corrected vulnerable vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Corrected vulnerable score: 8.1

Final post-patch score: 0.0, not vulnerable after patch.

The original scan score was 8.3 with C:H/I:H/A:L. Revalidation removes direct confidentiality impact and raises availability to high because the sink can recursively delete the global bin directory or its parent.

Weaknesses

CWE-22: Improper Limitation of a Pathname to a Restricted Directory

CWE-73: External Control of File Name or Path

Patch

• bins/resolver/src/index.ts now rejects empty, dot, and dot-dot bin names after scope stripping.
• bins/resolver/test/index.ts covers empty, dot, dot-dot, and scoped reserved bin keys.
• global/commands/test/globalRemove.test.ts proves global remove filters reserved manifest bin names before deletion and only removes a safe good shim.
• pacquet/crates/cmd-shim/src/bin_resolver.rs mirrors the same reserved-name rejection; empty names were already rejected.
• pacquet/crates/cmd-shim/src/bin_resolver/tests.rs extends parity coverage.
• .changeset/strange-bin-segments.md records patch releases for @pnpm/bins.resolver, pnpm, and pacquet.

Pacquet parity is appropriate at the shared bin resolver/linker boundary because pacquet dependency-management commands can resolve and link package bins, even though the TypeScript-only global remove/update/add replacement flow is the concrete destructive-delete sink.

Validation

Passed locally:

The script passed TypeScript builds, ESLint, bins/resolver Jest, global-remove sink Jest, pacquet fmt/tests, and git diff --check.