GHSA-v23m-ccfg-pq9h

Summary

The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by pnpm/pnpm#12303, merged as 65443f4bdf1f0db9c8c7dc58fee25252607e9234.

Before the fix, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing.

Security boundary

• Package names and semantic versions are validated before they can influence a local filename.
• POSIX and Windows path separators are rejected by basename checks.
• Stage download and tarball summary paths use the same filename helper.
• The resolved output path must remain an immediate child of the selected download directory.
• The stage identifier is already constrained to a UUID.

Exploit replay

Before 65443f4bdf, a traversal-bearing manifest version could make the command write outside the selected directory. After the fix, malicious package names fail with ERR_PNPM_INVALID_PACKAGE_NAME, malicious versions fail with ERR_PNPM_INVALID_PACKAGE_VERSION, no outside file is created, and the download directory remains empty.

Files changed

• releasing/commands/src/tarball/safeTarballFilename.ts validates manifest identity and rejects cross-platform path separators.
• releasing/commands/src/stage/download.ts verifies the resolved destination before writing.
• releasing/commands/src/tarball/summarizeTarball.ts uses the same filename contract.
• releasing/commands/test/stage.test.ts covers traversal through both package name and version.
• .changeset/stale-stage-tarballs.md includes patch bumps for @pnpm/releasing.commands and pnpm.

Patch

• Merged PR: https://github.com/pnpm/pnpm/pull/12303
• Fix commit: 65443f4bdf1f0db9c8c7dc58fee25252607e9234
• The private candidate branch was not submitted because it conflicts with and is superseded by the merged fix. The upstream patch is slightly stronger because it covers malicious package names as well as versions.

Commands run

$ git diff --check 65443f4bdf^ 65443f4bdf
PASS
$ gh pr view 12303 --repo pnpm/pnpm --json state,mergeCommit,statusCheckRollup
MERGED as 65443f4bdf

Validation

• Upstream regression coverage rejects traversal through both manifest name and version and verifies that no outside file is created.
• Compile and lint, dependency audit, Linux Node.js 22/24/26, CodeQL, and zizmor checks passed on the merged public PR.
• The Windows Node.js 22 full-suite job timed out in the unrelated pnpm/test/dlx.ts cache test after 512 other tests passed. The PR was merged by the maintainer; the failure did not involve the staging code.
• The earlier private candidate's focused exploit regression, positive control, package compile, ESLint, and git diff --check also passed.

Compatibility

Staging and release commands are TypeScript-only. Pacquet does not expose this command family, so no Rust-side port is required.

Remaining risk

The final fs.writeFile follows a pre-existing symlink at the exact in-directory output name. That requires separate local filesystem access and is not controllable through the registry manifest traversal described here.

Written by an agent (Codex, GPT-5).