Impact
A vulnerability exists in pnpm’s lockfile handling: it does not record the hash for tarball dependencies retrieved from codeload.github.com. If that host is compromised or a user’s network configuration is manipulated, pnpm will download and install an arbitrary tarball without verifying integrity, which can execute malicious code during installation. The weakness involves missing hash verification (CWE‑353) and insecure use of a downloaded package (CWE‑494).
Affected Systems
pnpm versions earlier than 10.33.4 in the 10.x series and earlier than 11.0.7 in the 11.x series. Projects using.github.com are affected.
Risk and Exploitability
The CVSS score of 4.8 classifies the vulnerability as medium severity, and the EPSS score of <1% indicates a very low but nonzero likelihood of exploitation. It is not listed in CISA’s KEV catalog. Exploitation requires control of the codeload.github.com service or manipulation of the user’s network environment to serve a malicious tarball. Although the overall risk is moderate, the potential for arbitrary code execution necessitates timely mitigation.
OpenCVE Enrichment
Github GHSA