CVE-2026-50573
Published:June 25, 2026
Updated:June 29, 2026
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, "pnpm install" in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.
Affected Packages
pnpm (NPM):
Affected version(s) >=0.0.0-pr4475.1 <10.34.0Fix Suggestion:
Update to version 10.34.0pnpm (NPM):
Affected version(s) >=11.0.0 <11.4.0Fix Suggestion:
Update to version 11.4.0Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Insufficient Verification of Data Authenticity
EPSS
Base Score:
0.11