CVE-2026-50021

MEDIUM

pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field

Title source: cna
STIX 2.1

Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.

References (1)

Core 1
Core References

Scores

CVSS v3 6.8
EPSS 0.0013
EPSS Percentile 2.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-354
Status published
Products (4)
npm/pnpm 0 - 10.34.1npm
npm/pnpm 11.0.0 - 11.4.0npm
pnpm/pnpm < 10.34.0 (2 CPE variants)
pnpm/pnpm >= 11.0.0, < 11.4.0
Published Jun 25, 2026
Tracked Since Jun 25, 2026