CVE-2026-55487
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pnpm | pnpm | < 10.34.2 | affected |
| pnpm | pnpm | >= 11.0.0, < 11.5.3 | affected |
Weaknesses
- CWE-346: CWE-346: Origin Validation Error
- CWE-693: CWE-693: Protection Mechanism Failure
- CWE-829: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.