CVE-2026-55697— pnpm 仓库控制 configDependencies 可选择原生安装引擎漏洞
Possible ATT&CK Techniques 2AI
T1195 · Supply Chain Compromise T1059 · Command and Scripting Interpreter新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-55697の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
ソース: NVD (National Vulnerability Database)
脆弱性説明
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
ソース: NVD (National Vulnerability Database)
影響を受ける製品
II. CVE-2026-55697の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-55697のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-55697 其他参考 (1)
Same Patch Batch · pnpm · 2026-06-25 · 13 CVEs total
| CVE-2026-50016 | 8.8 HIGH | pnpm: Transitive dependency alias path traversal allows project path override via symlink |
| CVE-2026-55698 | 8.8 HIGH | pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfi |
| CVE-2026-55487 | 7.5 HIGH | pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle |
| CVE-2026-50015 | 7.3 HIGH | pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) |
| CVE-2026-55700 | 7.1 HIGH | pnpm: stage download writes outside destination via manifest version traversal |
| CVE-2026-50021 | 6.8 MEDIUM | pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field |
| CVE-2026-50573 | 6.8 MEDIUM | pnpm: Unsafe default behavior breaks integrity check |
| CVE-2026-55180 | 6.5 MEDIUM | pnpm: Repository config can expand victim environment secrets into registry requests befor |
| CVE-2026-55699 | 6.5 MEDIUM | pnpm: reserved bin name deletes PNPM_HOME during global remove |
| CVE-2026-50014 | 6.4 MEDIUM | pnpm: Git Fetch Argument Injection via Lockfile resolution.commit |
| CVE-2026-48995 | pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile | |
| CVE-2026-50017 | pnpm binds unscoped user-level npm auth credentials to a repository-selected registry |
IV. 関連脆弱性
同じ製品: pnpm
- CVE-2026-55180
pnpm: Repository config can expand victim environment secret - CVE-2026-48995
pnpm: Tarball hash of GitHub git dependencies is not stored - CVE-2026-50017
pnpm binds unscoped user-level npm auth credentials to a rep - CVE-2026-50016
pnpm: Transitive dependency alias path traversal allows proj - CVE-2026-50015
pnpm: Arbitrary File Write/Delete via Malicious Patch File (
同じベンダー: pnpm
- CVE-2026-55180
pnpm: Repository config can expand victim environment secret - CVE-2026-48995
pnpm: Tarball hash of GitHub git dependencies is not stored - CVE-2026-50017
pnpm binds unscoped user-level npm auth credentials to a rep - CVE-2026-50016
pnpm: Transitive dependency alias path traversal allows proj - CVE-2026-50015
pnpm: Arbitrary File Write/Delete via Malicious Patch File (
同じ弱点: CWE-78
- CVE-2026-55441
mise: Arbitrary command execution via task-include files in - CVE-2026-55448
mise: Local credential_command executes untrusted config - CVE-2026-54636
Dokku: OS Command Injection via app.json managed Cron - CVE-2026-45408
Dokku: OS Command Injection via App Name in Git Pre-Receive - CVE-2026-40711
Dell Container Storage Modules v2.16.0 OS命令注入漏洞
V. CVE-2026-55697へのコメント
まだコメントはありません