Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-delivered dependency, no attacker privileges, but a victim must approve a build (UI:R); successful lifecycle execution yields total host compromise so C/I/A all High.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
AnalysisAI
Build-script approval bypass in the pnpm package manager (versions before 10.34.2, and 11.0.0 through 11.5.2) lets an attacker-controlled dependency source run lifecycle scripts that a user only approved for a different, legitimate source. The generic peer-suffix normalizer stripped parenthesized text from opaque locators (git, URL, tarball, file), so two distinct sources could normalize to the same allowBuilds key - meaning approval of foo@https://host/pkg.tgz also authorized foo@https://host/pkg.tgz(evil). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the project to use pnpm with build-script approval (allowBuilds / onlyBuiltDependencies) and a prior user approval of a legitimate OPAQUE-locator source - git, URL, tarball, file, or directory; registry-package identities are NOT affected because they legitimately normalize peer suffixes and retain patch hashes; and (2) the attacker to introduce a second source whose locator normalizes to the same key as the approved one (one of three forms: a parenthesized suffix like (evil), a final-@ semver tail misclassified as a registry package, or a semver-looking source-only tail). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 8.8) and SSVC (Exploitation: poc, Automatable: no, Technical Impact: total) align on a serious flaw: network-reachable, low-complexity, no privileges, but requiring user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer approves building a trusted opaque dependency such as foo@https://host/pkg.tgz. An attacker who can influence the project's dependency set (e.g. … |
| Remediation | Vendor-released patch: upgrade to pnpm 10.34.2 (for the 10.x line) or 11.5.3 (for the 11.x line), which reject all three normalization-collision forms and enforce byte-exact matching for opaque locators while preserving legitimate registry peer-suffix normalization. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan all build systems, development environments, and CI/CD pipelines to identify pnpm installations and document their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co
pnpm is a package manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentica
Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans
Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository
Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ
Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unex
Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac
{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril
Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m
Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39481
GHSA-5wx6-mg75-v57r