pnpm
npm26 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting pnpmpage 1 of 1
- CVE-2022-26183HIGHCVSS 8.8EG 8.8✓ Fixed in 6.15.12022-03-21
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs whe…
- CVE-2023-37478HIGHCVSS 7.5EG 7.5✓ Fixed in 8.6.82023-08-01
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package th…
- CVE-2024-47829MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.0.02025-04-23
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different librarie…
- CVE-2024-53866CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.15.02024-12-10
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and install…
- CVE-2025-69262HIGHCVSS 7.8EG 7.5✓ Fixed in 10.27.02026-01-07
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment…
- CVE-2025-69263HIGHCVSS 8.8EG 7.5✓ Fixed in 10.26.02026-01-07
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a…
- CVE-2025-69264CRITICALCVSS 9.8EG 8.8✓ Fixed in 10.26.02026-01-07
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". Whil…
- CVE-2026-23888MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.12026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) …
- CVE-2026-23889MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.12026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./`…
- CVE-2026-23890MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.12026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypa…
- CVE-2026-24056MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.22026-01-26
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package cont…
- CVE-2026-24131MEDIUMCVSS 5.5EG 5.5✓ Fixed in 10.28.22026-01-26
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"director…
- CVE-2026-48995HIGHCVSS 7.5EG 7.5✓ Fixed in 10.33.42026-06-25
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencie…
- CVE-2026-50014HIGHCVSS 7.3EG 7.3✓ Fixed in 10.34.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch…
- CVE-2026-50015HIGHCVSS 7.3EG 7.3✓ Fixed in 10.34.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline (@pnpm/patch-package) performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a…
- CVE-2026-50016HIGHCVSS 8.8EG 8.8✓ Fixed in 10.34.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linki…
- CVE-2026-50017MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.34.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a defau…
- CVE-2026-50021HIGHCVSS 8.1EG 8.1✓ Fixed in 11.4.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove …
- CVE-2026-50573HIGHCVSS 8.1EG 8.1✓ Fixed in 10.34.02026-06-25
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a pac…
- CVE-2026-55180MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.34.22026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious re…
- CVE-2026-55487HIGHCVSS 8.8EG 8.8✓ Fixed in 10.34.22026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a…
- CVE-2026-55697HIGHCVSS 8.8EG 8.8✓ Fixed in 11.5.32026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependen…
- CVE-2026-55698HIGHCVSS 8.8EG 8.8✓ Fixed in 10.34.22026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDep…
- CVE-2026-55700HIGHCVSS 7.1EG 7.1✓ Fixed in 11.5.32026-06-25
pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite ano…
- CVE-2026-59194HIGHCVSS 7.1EG 7.1✓ Fixed in 10.34.42026-07-06
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 …
- CVE-2026-59196HIGHCVSS 7.1EG 7.1✓ Fixed in 10.34.42026-07-06
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm c…
Check whether pnpm is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pnpm CVEs against the assets you own.
Start Free Scan →