CVE-2026-50573
Undergoing Analysis Undergoing Analysis - In Progress
Integrity Bypass in pnpm Package Manager

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves different metadata and tarball content for the same package name and version, pnpm initially reports an integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's new integrity, updates the lockfile, installs the new content, and exits successfully. This means the lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0 and 11.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50573
EUVD
EUVD-2026-39489
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm 10.34.0
pnpm pnpm 11.4.0
pnpm pnpm to 11.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-50573 vulnerability affects pnpm versions below 10.34.0 and between 11.0.0 to 11.4.0. When running `pnpm install` in non-frozen mode, if the downloaded package tarball's integrity does not match the value recorded in pnpm-lock.yaml, pnpm does not fail as expected. Instead, it performs a resolution repair by accepting the new integrity value from the registry, updates the lockfile, installs the new content, and exits successfully.

This behavior means that the lockfile integrity check does not act as a strict security barrier by default. As a result, if the package registry is compromised or serves altered metadata and content for the same package version, pnpm will trust and install this altered content, weakening the security of the dependency management process.

Impact Analysis

This vulnerability can lead to the installation of altered or malicious package content even when a lockfile is present, potentially introducing compromised code into your project.

  • It weakens the security guarantees of dependency integrity checks.
  • It can result in confidentiality and integrity impacts by allowing unauthorized code to be installed.
  • Exploitation requires user interaction but no special privileges.
Detection Guidance

This vulnerability can be detected by checking if pnpm is running in non-frozen mode and accepting new remote package content despite integrity mismatches between downloaded tarballs and the pnpm-lock.yaml file.

To detect this on your system, you can verify the pnpm version to see if it is below 10.34.0 or between 11.0.0 and 11.4.0, which are vulnerable versions.

  • Run `pnpm --version` to check the installed pnpm version.
  • Run `pnpm install` without the `--frozen-lockfile` flag and monitor if the lockfile is updated automatically after an integrity mismatch warning.
  • Check the pnpm-lock.yaml file for unexpected integrity value changes after installs.
Mitigation Strategies

To mitigate this vulnerability immediately, you should avoid running `pnpm install` in non-frozen mode.

Use the `--frozen-lockfile` flag with `pnpm install` to ensure that the installation fails if the integrity check does not match the lockfile, preventing automatic acceptance of altered package content.

Additionally, upgrade pnpm to version 10.34.0 or later, or 11.4.0 or later, where this vulnerability is fixed.

Compliance Impact

The vulnerability allows pnpm to accept altered package content from a registry even when the integrity check fails, potentially leading to the installation of untrusted or malicious code. This weakens the security posture by compromising data integrity and confidentiality.

Such a weakness could impact compliance with standards and regulations like GDPR and HIPAA, which require ensuring data integrity and protecting against unauthorized changes or tampering. By allowing unauthorized package modifications, this vulnerability could lead to violations of these requirements, especially if sensitive data or systems are affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart