CVE-2026-50014
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A vulnerability in pnpm package manager before versions 10.34.0 and 11.4.0 allows an attacker to inject Git options into the git fetch command via a malicious lockfile. Lack of validation of the commit value in the lockfile enables substitution of the --upload-pack option, which for SSH and local transports can lead to arbitrary command execution.
Risk Assessment
The organization risks remote code execution (RCE) when installing git dependencies if an attacker provides a malicious lockfile. The attack is particularly dangerous in environments using SSH or local git repositories.
Recommendation
Update pnpm to version 10.34.0 or 11.4.0 immediately. In the meantime, verify trust in lockfiles and limit the use of git dependencies from untrusted sources.
Original NVD description (English source)
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. For SSH and local transports, --upload-pack can execute the supplied command. HTTPS transports ignore --upload-pack, so the practical attack surface is primarily SSH or local git dependencies. This vulnerability is fixed in 10.34.0 and 11.4.0.

