CVE-2026-50573

MEDIUM

pnpm: Unsafe default behavior breaks integrity check

Title source: cna
STIX 2.1

Description

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.

References (1)

Core 1
Core References

Scores

CVSS v3 6.8
EPSS 0.0011
EPSS Percentile 1.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-345
Status published
Products (5)
npm/pnpm 0 - 10.34.0npm
npm/pnpm 11.0.0 - 11.4.0npm
pnpm/pnpm < 10.34.0
pnpm/pnpm < 10.33.4
pnpm/pnpm >= 11.0.0, < 11.4.0
Published Jun 25, 2026
Tracked Since Jun 25, 2026