9 matches found
CVE-2026-50021
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...
CVE-2026-23888 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: 1 Malicious ZIP entries containing ../ or absolute paths that...
@directus/release-notes-generator (>=2.0.2 <=3.0.0-rc.0), @kcconfigs/commitlint (>=0.1.0-beta.0 <=0.2.0) +71 more potentially affected by CVE-2025-69262 via @pnpm/npm-conf (>=3.0.0 <=3.0.1)
@pnpm/npm-conf NPM version =3.0.0, =2.0.2, =0.1.0-beta.0, =1000.3.5, =1000.0.4, =1000.0.4, =1000.0.4, =1000.1.0, =1002.1.1, =1008.0.2, =1016.0.0 and more Source cves: CVE-2025-69262 Source advisory: SNYK:JS-PNPMNPMCONF-14897556...
CVE-2025-69262
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Cod...
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...
CVE-2023-37478
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...
SUSE CVE-2024-47829
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name...
CVE-2024-47829 pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name...
CVE-2023-37478 pnpm incorrectly parses tar archives relative to specification
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...