Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

pnpm — Vulnerabilities & Security Advisories 11

Browse all 11 CVE security advisories affecting pnpm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

pnpm serves as a fast, disk-space-efficient package manager for JavaScript projects, addressing dependency management challenges. Historically, it has faced vulnerabilities including remote code execution through malicious packages, cross-site scripting flaws, and privilege escalation risks. The project maintains 11 CVEs on record, with notable incidents including RCE vulnerabilities in package resolution and extraction mechanisms. Security characteristics include a focus on deterministic builds and reduced attack surface compared to some alternatives, though its complex dependency resolution has introduced potential vectors for exploitation. Regular updates address these issues, but users should monitor advisories for newly discovered weaknesses in the package ecosystem.

Top products by pnpm: pnpm
CVE IDTitleCVSSSeverityPublished
CVE-2026-24131 pnpm has Path Traversal via arbitrary file permission modification — pnpmCWE-22 7.7AIHighAI2026-01-26
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies — pnpmCWE-22 7.7AIHighAI2026-01-26
CVE-2026-23890 pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin — pnpmCWE-23 6.5 Medium2026-01-26
CVE-2026-23889 pnpm has Windows-specific tarball Path Traversal — pnpmCWE-22 6.5 Medium2026-01-26
CVE-2026-23888 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) — pnpmCWE-22 6.5 Medium2026-01-26
CVE-2025-69262 pnpm vulnerable to Command Injection via environment variable substitution — pnpmCWE-78 7.6 High2026-01-07
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" — pnpmCWE-693 8.8 High2026-01-07
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies — pnpmCWE-494 7.5 High2026-01-07
CVE-2024-47829 pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting — pnpmCWE-328 6.5 Medium2025-04-23
CVE-2024-53866 pnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasion — pnpmCWE-426 9.8 -2024-12-10
CVE-2023-37478 pnpm incorrectly parses tar archives relative to specification — pnpmCWE-284 7.5 High2023-08-01

This page lists every published CVE security advisory associated with pnpm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.