Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 5 days ago6 views

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile

Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References3Affected Software1
CVE
CVE
added 6 days ago19 views

CVE-2026-48995

CVE-2026-48995 affects pnpm, a package manager. Prior to versions 10.33.4 and 11.0.7, a malicious codeload.github.com server could serve arbitrary tarballs and pnpm would install them regardless of the lockfile because the tarball hash is not stored in the lockfile. This could enable tampering of...

7.5CVSS5.9AI score0.00116EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2025/09/26 9:39 a.m.2 views

MAL-2025-47714 Malicious code in pnpm_lockfile_file_v8 (npm)

--- -= Per source details. Do not edit below this line.=-...

7AI score
Exploits0
Huntr
Huntr
added 2022/02/28 7:32 p.m.15 views

OS Command Injection

Description npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. Proof of Concept // npm i [email protected] const getLockfile = require'npm-lockfile/getLockfile';...

10CVSS3AI score0.02675EPSS
Exploits1
Packet Storm
Packet Storm
added 1999/08/17 12:0 a.m.46 views

ipop3d.4.xx.lockfile.DoS.txt

Date: Sun, 7 Mar 1999 01:41:25 +0100 From: Michal Zalewski Lockfile vunerability in ipop3d 4.xx The problem is probably well known, but silently ignored by pine vendors. Unfortunately, it's possible to turn 'mostly harmless feature' in something nasty - following code allows various DoSes by...

7.4AI score
Exploits0
Rows per page
Query Builder