Description
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.
Severity (CVSS)
| Base score | 4.8 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| Provided by | CNA |
Weaknesses
- CWE-353 — CWE-353: Missing Support for Integrity Check
Affected products
| Vendor | Product | Versions |
|---|---|---|
| pnpm | pnpm | < 10.33.4; >= 11.0.0, < 11.0.7 |
References
- https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp (x_refsource_CONFIRM)
Generated from the official CVE List on 26 Jun 2026 07:05 UTC.