Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
Published: 2026-06-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a fail‑open integrity verification bypass (CWE‑494: Use of Trusted Data) and also involves improper handling of missing integrity information (CWE‑354). It allows an attacker who can modify the pnpm-lock.yaml file and control the registry URL referenced by the lockfile to bypass integrity verification and install altered packages. Because the integrity field is optional in older pnpm releases, the updated package is extracted and executed without any error, enabling the attacker to compromise the dependency chain or inject malicious code. The flaw directly threatens the integrity of the software supply chain.

Affected Systems

Affected systems include environments running pnpm versions earlier than 10.34.0 or 11.4.0. The vendor pnpm and its package manager are the only affected components. Systems using pnpm for dependency resolution and committing to lockfile without integrity checks are at risk.

Risk and Exploitability

The severity is reflected in a CVSS score of 6.8, indicating moderate risk. The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to tamper with the pnpm-lock.yaml file and supply a malicious package from a registry endpoint that matches the lockfile entry, then run pnpm install --frozen-lockfile. The likely attack vector involves compromised or malicious repositories that supply altered tarballs, or locally compromising the lockfile on an installation machine.

Generated by OpenCVE AI on July 17, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where integrity checks are enforced.
  • Ensure that pnpm-lock.yaml contains integrity fields for all dependencies and verify the lockfile before installation.
  • If upgrading immediately is not feasible, enforce integrity checks by switching to npm ci or by running a custom validation script that rejects lockfiles missing integrity entries.

Generated by OpenCVE AI on July 17, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6j5-fjx5-2mc3 pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
History

Tue, 07 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-494
References
Metrics threat_severity

None

threat_severity

Important


Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.
Title pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
Weaknesses CWE-354
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:56:14.220Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50021

cve-icon Vulnrichment

Updated: 2026-06-26T02:10:22.719Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T16:48:27Z

Links: CVE-2026-50021 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T02:45:08Z

Weaknesses
  • CWE-354

    Improper Validation of Integrity Check Value

  • CWE-494

    Download of Code Without Integrity Check