Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-50573— pnpm: Unsafe default behavior breaks integrity check

CVSS 6.8 · Medium EPSS 0.11% · P1
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50573

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pnpm: Unsafe default behavior breaks integrity check
Source: NVD (National Vulnerability Database)
Vulnerability Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
pnpmpnpm < 10.33.4 -

II. Public POCs for CVE-2026-50573

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-50573

登录查看更多情报信息。

Other References for CVE-2026-50573 (1)

Same Patch Batch · pnpm · 2026-06-25 · 13 CVEs total

CVE-2026-500168.8 HIGHpnpm: Transitive dependency alias path traversal allows project path override via symlink
CVE-2026-556988.8 HIGHpnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfi
CVE-2026-554877.5 HIGHpnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
CVE-2026-556977.5 HIGHpnpm: Repository-controlled configDependencies can select a pacquet native install engine
CVE-2026-500157.3 HIGHpnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
CVE-2026-557007.1 HIGHpnpm: stage download writes outside destination via manifest version traversal
CVE-2026-500216.8 MEDIUMpnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
CVE-2026-551806.5 MEDIUMpnpm: Repository config can expand victim environment secrets into registry requests befor
CVE-2026-556996.5 MEDIUMpnpm: reserved bin name deletes PNPM_HOME during global remove
CVE-2026-500146.4 MEDIUMpnpm: Git Fetch Argument Injection via Lockfile resolution.commit
CVE-2026-48995pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
CVE-2026-50017pnpm binds unscoped user-level npm auth credentials to a repository-selected registry

IV. Related Vulnerabilities

V. Comments for CVE-2026-50573

No comments yet


Leave a comment