19 matches found
CVE-2026-48995
A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to serve malicious software packages if the codeload.github.com server is compromised or a user's machine configuration is tampered with. The issue arises because pnpm does not verify the integrity of...
CVE-2026-50021
A flaw was found in pnpm, a package manager. An attacker who can modify the pnpm-lock.yaml file and control the package registry can exploit this vulnerability. By removing the integrity field from the lockfile and serving altered package content, the pnpm install --frozen-lockfile command can...
EUVD-2026-39488
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field...
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
Summary pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install...
CVE-2026-50021
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...
CVE-2026-50021 pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...
CVE-2026-50021
pnpm has an integrity check bypass when the integrity field is missing from the lockfile. Concrete details from the connected docs show that prior to versions 10.34.0 and 11.4.0, pnpm’s tarball extraction worker skips tarball hash verification if integrity is undefined, allowing an attacker who c...
PT-2026-52517
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description The tarball extraction worker in the pnpm package manager fails to perform integrity verification when the integrity field is missing from the lockfile resolution. This...
PT-2026-52518
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description When running pnpm install in non-frozen mode, the package manager may accept new remote package content even after detecting that the downloaded tarball does not match th...
CVE-2026-32148
Insufficient Verification of Data Authenticity vulnerability in hexpm hex Hex.RemoteConverger module allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However,...
CVE-2026-32148
Summary (technical) : The Hex package manager (Hex.RemoteConverger) has a data-authenticity vulnerability where mix.lock checksums are not verified due to a type mismatch: Hex.Utils.lock/1 returns string-based dependency names while verification expects atom-based names, causing silent bypass of ...
CVE-2025-69263
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
EUVD-2026-1190
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
GHSA-7VHP-VF5G-R2FW pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...
PT-2026-1940
Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver...