Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attacker controls a distributed lockfile (PR:N) but needs victim to run install (UI:R) and a non-default SSH/local transport (AC:H); injected command execution yields full C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionNVD
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. For SSH and local transports, --upload-pack can execute the supplied command. HTTPS transports ignore --upload-pack, so the practical attack surface is primarily SSH or local git dependencies. This vulnerability is fixed in 10.34.0 and 11.4.0.
AnalysisAI
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during pnpm install. Because pnpm passes the lockfile-controlled resolution.commit to git fetch/git checkout without a -- separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as --upload-pack=<command>, which Git executes for SSH and local (file://) transports. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions: (1) the attacker must control the contents of `pnpm-lock.yaml`, specifically the `resolution.commit` field of a git dependency (e.g., via a malicious PR or compromised repo); (2) that git dependency must be fetched over SSH or local (`file://`) git transport AND go through pnpm's shallow-fetch path - HTTPS transport ignores `--upload-pack` and is NOT exploitable; and (3) a victim must run `pnpm install` (UI:R) on pnpm older than 10.34.0 or 11.0.0-11.3.x. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can influence a project's `pnpm-lock.yaml` - for example via a malicious pull request, a compromised dependency, or a poisoned shared repository - edits a git dependency entry that resolves over SSH or local transport and replaces the 40-character commit hash with `--upload-pack=<malicious command>`. When a developer or CI runner subsequently runs `pnpm install`, pnpm's shallow-fetch path passes that value to `git fetch`, and Git executes the attacker's command as the user running install. … |
| Remediation | Upgrade pnpm to a fixed release: Vendor-released patch: 10.34.0 (for the 10.x line) or 11.4.0 (for the 11.x line), per advisory https://github.com/pnpm/pnpm/security/advisories/GHSA-p4xf-rf54-rj3x. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all development machines, CI/CD systems, and Docker build environments to identify pnpm versions <10.34.0 or <11.4.0; notify development teams of remediation requirement. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co
Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans
Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository
Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ
Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows
Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac
{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril
Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri
Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised
Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when
{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and cr
pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticati
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39490
GHSA-p4xf-rf54-rj3x