CVE-2026-55698
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pnpm | pnpm | < 10.34.2 | affected |
| pnpm | pnpm | >= 11.0.0, < 11.5.3 | affected |
Weaknesses
- CWE-345: CWE-345: Insufficient Verification of Data Authenticity
- CWE-494: CWE-494: Download of Code Without Integrity Check
- CWE-829: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.