CVE Catalog

CVE-2026-50021

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In pnpm before versions 10.34.0 and 11.4.0, the tarball extraction worker skips integrity verification when the integrity field is missing from pnpm-lock.yaml. An attacker can remove this field and serve altered package content, allowing installation of modified packages without integrity errors.

Risk Assessment

The organization may install maliciously altered packages, leading to application security breaches, including potential code injection or data theft.

Recommendation

Immediately upgrade pnpm to version 10.34.0 or 11.4.0, which fix this vulnerability. Additionally, consider using npm ci as an alternative that enforces integrity by default.

Original NVD description (English source)

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS