Directory Traversal Affecting pnpm-stage0 package, versions <8.7.4-r7


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-PNPMSTAGE0-17872363
  • published7 Jul 2026
  • disclosed20 Feb 2026

Introduced: 20 Feb 2026

CVE-2026-26960  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Wolfi pnpm-stage0 to version 8.7.4-r7 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream pnpm-stage0 package and not the pnpm-stage0 package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

CVSS Base Scores

version 3.1