CVE-2026-50014
Undergoing Analysis Undergoing Analysis - In Progress
Git Option Injection in pnpm Package Manager

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. For SSH and local transports, --upload-pack can execute the supplied command. HTTPS transports ignore --upload-pack, so the practical attack surface is primarily SSH or local git dependencies. This vulnerability is fixed in 10.34.0 and 11.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50014
EUVD
EUVD-2026-39490
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.0 (inc)
pnpm pnpm to 11.4.0 (inc)
pnpm pnpm to 10.34.0 (exc)
pnpm pnpm to 11.4.0 (exc)
pnpm pnpm From 11.0.0 (inc) to 11.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50014 is a moderate-severity vulnerability in pnpm, a JavaScript package manager. The issue arises because pnpm passes the commit value from the lockfile directly to Git fetch commands without validating the commit format or using a proper argument separator.

This allows an attacker to modify the pnpm-lock.yaml file to replace the expected 40-character commit hash with a Git option such as --upload-pack=<command>. When pnpm fetches Git dependencies via SSH or local transports, this option can execute arbitrary commands supplied by the attacker.

HTTPS transports are not affected by this vulnerability. The root cause is missing validation of commit hashes and lack of argument delimiters in Git commands.

Impact Analysis

This vulnerability can lead to the execution of arbitrary commands on systems using vulnerable versions of pnpm when fetching Git dependencies over SSH or local transports.

The impact includes potential compromise of confidentiality and integrity of the affected system, as attackers can run malicious commands through crafted lockfiles.

The CVSS score of 6.4 reflects a moderate risk with high potential impacts on confidentiality and integrity, but no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where the issue is fixed.

The fix involves adding a -- separator before commit values and validating commit hashes against a 40-character hexadecimal pattern to prevent argument injection.

Avoid using SSH or local Git transports for fetching dependencies if you cannot upgrade immediately, as HTTPS transports are not affected by this vulnerability.

Compliance Impact

The vulnerability in pnpm allows an attacker to execute arbitrary commands via maliciously crafted lockfiles, potentially compromising the confidentiality and integrity of systems using affected versions.

Such unauthorized command execution and potential data compromise could lead to violations of common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality and integrity.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability involves pnpm passing unvalidated commit values to git fetch commands, which can be exploited by malicious entries in the pnpm-lock.yaml file. To detect if your system is vulnerable, you should first check the version of pnpm installed to see if it is older than 10.34.0 or between 11.0.0 and 11.4.0.

  • Check pnpm version: `pnpm --version`

To detect if a malicious lockfile is present, you can inspect the pnpm-lock.yaml file for any git dependencies that have commit values which are not valid 40-character hexadecimal commit hashes but instead contain suspicious Git options such as '--upload-pack='.

  • Search for suspicious commit values in pnpm-lock.yaml: `grep -E "commit: --upload-pack=" pnpm-lock.yaml`

Additionally, monitoring git fetch commands executed by pnpm for unusual arguments or unexpected command injections could help detect exploitation attempts, but no specific commands for this are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart