Main Vulnerability Database SB2026052527

SB2026052527 - Missing support for integrity check in pnpm

Published: May 25, 2026

Security Bulletin ID SB2026052527

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Missing support for integrity check (CVE-ID: N/A)

CWE-ID: CWE-353 - Missing Support for Integrity Check

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper integrity verification in the lockfile handling for GitHub git dependencies when downloading tarballs from codeload.github.com. A remote attacker can serve a malicious tarball to execute arbitrary code.

Only dependencies fetched from GitHub via codeload.github.com are affected because the lockfile does not store their tarball hash.

Remediation

Install update from vendor's website.

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp