Description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
Published: 2026-06-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pnpm versions prior to 10.34.2 and 11.5.3 incorrectly strip parenthesized text from git, URL, tarball, and other locators during peer‑suffix normalisation. This behaviour allows an attacker to supply a source string that normalises to the same value as an already approved source. The vulnerability is a classic identity spoofing flaw (CWE‑346) that can be exploited to install malicious code under the guise of an authorised dependency, potentially enabling arbitrary code execution during build or run time.

Affected Systems

All installations of the pnpm package manager running an affected version – specifically pnpm 10.x before 10.34.2 and pnpm 11.x before 11.5.3 – are at risk. Any user or continuous‑integration environment that resolves external dependencies with these pnpm versions would be exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑high severity. No EPSS value is publicly available, and the vulnerability is not currently listed in the CISA KEV catalog. An attacker who can influence the dependency specification (for example by modifying package.json or the lockfile in a CI pipeline) could supply a crafted source that bypasses approval checks, causing pnpm to fetch and execute malicious code. Based on the description, it is inferred that an attacker could trigger the attack remotely if they control the publishing of a package that is subsequently fetched by vulnerable pnpm installations.

Generated by OpenCVE AI on June 25, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pnpm to version 10.34.2 or later, or to 11.5.3 or later, to obtain the fixed peer‑suffix normalisation logic.
  • If an upgrade is not immediately possible, restrict pnpm to approved registries and disable allowBuilds during dependency resolution to prevent the installation of untrusted source code.
  • Audit existing lockfiles and dependency manifests for suspicious or mismatched source URLs, and apply appropriate controls to enforce source integrity before installation proceeds.

Generated by OpenCVE AI on June 25, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pnpm
Pnpm pnpm
Vendors & Products Pnpm
Pnpm pnpm

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
Title pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
Weaknesses CWE-346
CWE-693
CWE-829
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Pnpm Pnpm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:03:06.773Z

Reserved: 2026-06-16T22:28:27.061Z

Link: CVE-2026-55487

cve-icon Vulnrichment

Updated: 2026-06-25T18:02:33.707Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-693

    Protection Mechanism Failure

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere