Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

pnpm — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting pnpm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

pnpm serves as a fast, disk-space-efficient package manager for JavaScript projects, addressing dependency management challenges. Historically, it has faced vulnerabilities including remote code execution through malicious packages, cross-site scripting flaws, and privilege escalation risks. The project maintains 11 CVEs on record, with notable incidents including RCE vulnerabilities in package resolution and extraction mechanisms. Security characteristics include a focus on deterministic builds and reduced attack surface compared to some alternatives, though its complex dependency resolution has introduced potential vectors for exploitation. Regular updates address these issues, but users should monitor advisories for newly discovered weaknesses in the package ecosystem.

Top products by pnpm: pnpm
CVE IDTitleCVSSSeverityPublished
CVE-2026-55180 pnpm: Repository config can expand victim environment secrets into registry requests before scripts run — pnpmCWE-200 6.5 Medium2026-06-25
CVE-2026-48995 pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile — pnpmCWE-353--2026-06-25
CVE-2026-50017 pnpm binds unscoped user-level npm auth credentials to a repository-selected registry — pnpmCWE-200--2026-06-25
CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement — pnpmCWE-23 8.8 High2026-06-25
CVE-2026-50015 pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) — pnpmCWE-22 7.3 High2026-06-25
CVE-2026-50014 pnpm: Git Fetch Argument Injection via Lockfile resolution.commit — pnpmCWE-88 6.4 Medium2026-06-25
CVE-2026-50573 pnpm: Unsafe default behavior breaks integrity check — pnpmCWE-345 6.8 Medium2026-06-25
CVE-2026-50021 pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field — pnpmCWE-354 6.8 Medium2026-06-25
CVE-2026-55700 pnpm: stage download writes outside destination via manifest version traversal — pnpmCWE-22 7.1 High2026-06-25
CVE-2026-55699 pnpm: reserved bin name deletes PNPM_HOME during global remove — pnpmCWE-22 6.5 Medium2026-06-25
CVE-2026-55698 pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes — pnpmCWE-345 8.8 High2026-06-25
CVE-2026-55697 pnpm: Repository-controlled configDependencies can select a pacquet native install engine — pnpmCWE-78 7.5 High2026-06-25
CVE-2026-55487 pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle — pnpmCWE-346 7.5 High2026-06-25
CVE-2026-24131 pnpm has Path Traversal via arbitrary file permission modification — pnpmCWE-22 7.7AIHighAI2026-01-26
CVE-2026-24056 pnpm has symlink traversal in file:/git dependencies — pnpmCWE-22 7.7AIHighAI2026-01-26
CVE-2026-23890 pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin — pnpmCWE-23 6.5 Medium2026-01-26
CVE-2026-23889 pnpm has Windows-specific tarball Path Traversal — pnpmCWE-22 6.5 Medium2026-01-26
CVE-2026-23888 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) — pnpmCWE-22 6.5 Medium2026-01-26
CVE-2025-69262 pnpm vulnerable to Command Injection via environment variable substitution — pnpmCWE-78 7.6 High2026-01-07
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" — pnpmCWE-693 8.8 High2026-01-07
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies — pnpmCWE-494 7.5 High2026-01-07
CVE-2024-47829 pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting — pnpmCWE-328 6.5 Medium2025-04-23
CVE-2024-53866 pnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasion — pnpmCWE-426 9.8 -2024-12-10
CVE-2023-37478 pnpm incorrectly parses tar archives relative to specification — pnpmCWE-284 7.5 High2023-08-01

This page lists every published CVE security advisory associated with pnpm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.