Lucene search
K

5 matches found

NVD
NVD
added 2026/01/07 10:15 p.m.11 views

CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

8.8CVSS0.0031EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/01/07 9:31 p.m.4 views

CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

7.5CVSS6.7AI score0.0031EPSS
Exploits1References2
AlpineLinux
AlpineLinux
added 2026/01/07 9:31 p.m.4 views

CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

8.8CVSS7.1AI score0.0031EPSS
Exploits1
OSV
OSV
added 2026/01/07 7:6 p.m.9 views

GHSA-7VHP-VF5G-R2FW pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

7.5CVSS6.9AI score0.0031EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/01/07 7:6 p.m.13 views

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

8.8CVSS7AI score0.0031EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder