CVE-2022-26183: Untrusted Search Path

March 21, 2022 (updated November 9, 2023)

PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

References

github.com/advisories/GHSA-9m87-6fj3-c5xh
github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb
github.com/pnpm/pnpm/releases/tag/v6.15.1
nvd.nist.gov/vuln/detail/CVE-2022-26183

Code Behaviors & Features

Detect and mitigate CVE-2022-26183 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →