CVE Catalog

CVE-2026-55487

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile — higher than 2% of all known CVEs

Summary

In pnpm prior to versions 10.34.2 and 11.5.3, the generic peer-suffix normalizer incorrectly stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could authorize a different attacker-controlled source whose locator normalized to the same value.

Risk Assessment

The risk is that a malicious package could be authorized as trusted, potentially leading to the installation of harmful code in the project.

Recommendation

Immediately update pnpm to version 10.34.2 or 11.5.3, depending on the major version in use.

Original NVD description (English source)

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS