At a Glance
GHSA-72r4-9c5j-mj57
Identifier
High
Severity
Local / Malicious File
Attack Vector
pnpm
Affected Product
A high-severity vulnerability has been addressed in the pnpm package manager, a popular tool for managing Node.js dependencies. Tracked as GHSA-72r4-9c5j-mj57, the flaw resided in the `patch-remove` command. A specially crafted patch file could trick the command into deleting arbitrary files on the filesystem, extending beyond the intended project directory [1].
The Attack Chain
The vulnerability allows an attacker to delete files by exploiting insufficient path validation. An attack begins when a developer, or an automated system, incorporates a malicious patch file into a project. This could happen by using a compromised upstream dependency or by accepting a malicious contribution to an open-source project.
When the `pnpm patch-remove` command is executed, it is meant to clean up patch files from a designated directory. However, a malicious entry in the project's manifest could contain path traversal sequences like `../`. The vulnerable code would resolve this path, allowing it to point to a file anywhere on the filesystem that the user has permission to delete [2].
For example, a malicious patch could target critical configuration files, SSH keys, or application source code. The deletion is performed by a trusted tool, `pnpm`, making the action less likely to be flagged by conventional security software. The exploit replay demonstrated that even nested symlinks pointing to outside files could be used to trigger the deletion.
OPERATOR ACTION
Update pnpm to a patched version, such as 10.34.4 or 11.7.0 and newer, to prevent exploitation.
Technical Cause and Mitigation
The root cause was a failure to properly sanitize and validate file paths before the deletion operation. The `patch-remove` function did not sufficiently check for path traversal elements or symlinks that resolved outside the intended patches directory. This allowed a malicious path to be processed and passed to the file unlinking logic.
The fix, implemented in commits across two major versions, introduces multiple layers of validation. The updated code now canonicalizes parent directories and validates the full batch of files before removing anything. It also rejects any path that resolves outside the configured patches directory [3].
A key change is that the final component of a path is unlinked without following it, which specifically blocks attacks using symlinks that point to an external victim file [4].
Implications for Agentic Security
This vulnerability has significant implications for agentic systems and AI-assisted development. Autonomous agents that write, manage, and patch their own code rely on toolchains like pnpm to function. These agents operate with a level of trust in their foundational tools, executing commands as part of their programmed logic.
An attacker could exploit this trust. An agent could be prompted to consume data from a source containing a malicious patch file. The agent, following its standard operating procedure, would apply and later attempt to remove the patch. This action would trigger the vulnerability, causing the agent to delete files within its own environment.
This scenario represents a new attack surface where an agent's own maintenance routines are turned against it. The malicious action is initiated by the agent itself through a legitimate tool, bypassing defenses that look for external threats or malware. Protecting against these threats requires monitoring the context and outcome of an agent's actions, not just the commands it runs.
Defender Guidance and Remaining Risk
The immediate action for all developers and teams is to update their pnpm installation. Beyond this patch, the incident highlights the security importance of the entire software supply chain, especially for automated systems. It is critical to run agentic workloads in least-privilege environments to limit the potential damage from any single compromised tool.
A minor residual risk remains even after the patch. The fix does not completely eliminate a potential time-of-check/time-of-use (TOCTOU) race condition. A sophisticated local attacker with precise timing could theoretically replace a directory after it has been validated but before the file inside is deleted. However, the patched versions successfully block the more practical traversal and symlink attacks that can be delivered remotely through a malicious package.
References
- GitHub Security Advisory (GHSA-72r4-9c5j-mj57). https://github.com/advisories/GHSA-72r4-9c5j-mj57 (accessed 2026-06-28).
- Vendor security advisory (github.com). https://github.com/pnpm/pnpm/security/advisories/GHSA-72r4-9c5j-mj57 (accessed 2026-06-28).
- Patch commit / PR (github.com). https://github.com/pnpm/pnpm/commit/612a2e6a7333f2b061f452a21b6e62c1c161747f (accessed 2026-06-28).
- Patch commit / PR (github.com). http://github.com/pnpm/pnpm/commit/352ae489f1b14ffdc19d2c6eacb1b06b098c2ddc (accessed 2026-06-28).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.