Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
Published: 2026-06-25
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker who can modify the pnpm‑lock.yaml file and control the registry URL referenced by the lockfile to bypass integrity verification and install altered packages. Because the integrity field is optional in older pnpm releases, the updated package is extracted and executed without any error, enabling the attacker to compromise the dependency chain or inject malicious code. The flaw is a fail‑open weakness that directly threatens the integrity of the software supply chain.

Affected Systems

Affected systems include environments running pnpm versions earlier than 10.34.0 or 11.4.0. The vendor pnpm and its package manager are the only affected components. Systems using pnpm for dependency resolution and committing to lockfile without integrity checks are at risk.

Risk and Exploitability

The severity is reflected in a CVSS score of 6.8, indicating moderate risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to tamper with the pnpm‑lock.yaml file and supply a malicious package from a registry endpoint that matches the lockfile entry, then run pnpm install --frozen-lockfile. The likely attack vector involves compromised or malicious repositories that supply altered tarballs, or locally compromising the lockfile on an installation machine.

Generated by OpenCVE AI on June 25, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where integrity checks are enforced.
  • Ensure that pnpm‑lock.yaml contains integrity fields for all dependencies and verify the lockfile before installation.
  • If upgrading immediately is not feasible, enforce integrity checks by switching to npm ci or by running a custom validation script that rejects lockfiles missing integrity entries.

Generated by OpenCVE AI on June 25, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
Title pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
Weaknesses CWE-354
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T16:48:27.901Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50021

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses
  • CWE-354

    Improper Validation of Integrity Check Value