Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Malicious repo is network-delivered and unauthenticated (AV:N/PR:N) but the victim must run pnpm (UI:R); resulting arbitrary code execution yields full C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.
AnalysisAI
Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository hijack pnpm's automatic version-switching mechanism. By committing crafted package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml - including matching pnpm and @pnpm/exe versions plus package records and snapshots - an attacker bypasses fresh package-manager resolution and causes pnpm to install and execute attacker-selected bytes when a developer runs pnpm in the cloned repo. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim run pnpm directly inside an attacker-controlled repository whose committed pnpm-lock.yaml has been crafted to persist package-manager bootstrap metadata (packageManagerDependencies) in its first YAML document, with the committed env lockfile containing matching pnpm and @pnpm/exe versions so that automatic package-manager version switching is triggered and fresh resolution is bypassed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) indicates a low-complexity, unauthenticated, network-reachable attack whose only significant constraint is required user interaction (UI:R) - a developer must run pnpm inside the malicious repository. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a tempting open-source repository (or submits a pull request) whose committed pnpm-lock.yaml carries crafted package-manager bootstrap metadata with matching pnpm and @pnpm/exe versions and attacker-chosen package records/snapshots. A developer clones the repo and runs a normal pnpm command, triggering automatic version switching; pnpm trusts the committed lockfile state, skips fresh resolution, and installs and executes the attacker-selected bytes on the developer's machine. … |
| Remediation | Vendor-released patch: upgrade pnpm to 10.34.2 (10.x line) or 11.5.3 (11.x line) as the primary and complete fix, per GitHub Security Advisory GHSA-w466-c33r-3gjp (https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all pnpm deployments in development and CI/CD environments; disable or restrict repository cloning from untrusted external sources; notify development teams of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co
Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans
Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ
Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows
Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac
{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril
Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m
Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised
Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when
{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and cr
pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticati
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39484
GHSA-w466-c33r-3gjp