Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies
Vulnerability Description
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
下载代码缺少完整性检查
Vulnerability Title
pnpm 安全漏洞
Vulnerability Description
pnpm是pnpm开源的一个包管理器。 pnpm 10.26.2及之前版本存在安全漏洞,该漏洞源于锁文件中存储的HTTP压缩包依赖缺少完整性哈希,可能导致服务器提供不同内容。
CVSS Information
N/A
Vulnerability Type
N/A