Main Vulnerability Database Vulnerabilities #VU134551

Origin validation error in pnpm - #VU134551

Published: June 15, 2026

Vulnerability identifier: #VU134551

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-346

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: pnpm

Affected software:
pnpm

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to origin validation error in the allowBuilds build policy when processing opaque dependency locators. A remote attacker can supply a specially crafted dependency source string that collides with an approved locator to execute arbitrary code.

User interaction is required to approve the dependency source and run the lifecycle script.

Remediation

Install security update from vendor's website.

Sources

https://github.com/pnpm/pnpm/security/advisories/GHSA-5wx6-mg75-v57r
https://github.com/pnpm/pnpm/commit/bf1b731ee6

Origin validation error in pnpm - #VU134551

Detailed vulnerability description

Remediation

Sources

Please verify you're human