Main Vulnerability Database Vulnerabilities #VU132258

Missing support for integrity check in pnpm - #VU132258

Published: May 25, 2026

Vulnerability identifier: #VU132258

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-353

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: pnpm

Affected software:
pnpm

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper integrity verification in the lockfile handling for GitHub git dependencies when downloading tarballs from codeload.github.com. A remote attacker can serve a malicious tarball to execute arbitrary code.

Only dependencies fetched from GitHub via codeload.github.com are affected because the lockfile does not store their tarball hash.

Remediation

Install security update from vendor's website.

Sources

https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp

Missing support for integrity check in pnpm - #VU132258

Detailed vulnerability description

Remediation

Sources

Please verify you're human