Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pnpm vulnerable to Command Injection via environment variable substitution
Vulnerability Description
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
pnpm 代码注入漏洞
Vulnerability Description
pnpm是pnpm开源的一个包管理器。 pnpm 6.25.0版本至10.26.2版本存在代码注入漏洞,该漏洞源于在.npmrc配置文件中使用环境变量替换时存在命令注入,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A