CVE-2026-55487
Analyzed Analyzed - Analysis Complete

Authentication Bypass via Peer Dependency Normalization in pnpm

Vulnerability report for CVE-2026-55487, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.2 (exc)
pnpm pnpm From 11.0.0 (inc) to 11.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55487 is a high-severity vulnerability in the pnpm package manager affecting versions prior to 10.34.2 and 11.5.3. The issue arises from the generic peer-suffix normalizer stripping parenthesized text from various opaque locators such as git URLs, tarballs, and file paths. This normalization flaw allows an attacker to spoof manifest identities by making different source locators appear identical after normalization.

As a result, an attacker can bypass build approvals intended for one source string and instead authorize a different attacker-controlled source that normalizes to the same value. This can lead to unauthorized execution of attacker-controlled lifecycle scripts during builds.

The vulnerability was fixed by enforcing exact byte-for-byte matching of resolved dependency identities, preventing collisions caused by parenthesized suffixes, misclassified URLs, and semver-like tails.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass build approval mechanisms in pnpm, leading to the execution of unauthorized, attacker-controlled lifecycle scripts during your software builds.

Such unauthorized script execution can compromise the confidentiality, integrity, and availability of your software supply chain, potentially introducing malicious code or disrupting your build processes.

Because the attack vector is network-based and requires user interaction but no privileges, it poses a significant risk especially in environments where dependencies are automatically approved or built.

Detection Guidance

This vulnerability affects pnpm package manager versions prior to 10.34.2 and 11.5.3, specifically those versions that allow manifest identity spoofing through normalization of opaque dependency locators.

To detect if your system is vulnerable, check the installed pnpm version to see if it falls within the affected ranges.

  • Run `pnpm --version` to determine the installed pnpm version.

Additionally, review your build approval logs or ignored-build outputs for any suspicious normalized locators that could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade pnpm to a fixed version.

  • Upgrade pnpm to version 10.34.2 or later, or 11.5.3 or later, where the vulnerability is patched.

These versions enforce exact byte-for-byte matching of resolved dependency identities, preventing unauthorized execution of attacker-controlled lifecycle scripts.

Until upgrading, carefully audit build approvals and dependency sources to detect any suspicious or unauthorized locators.

Compliance Impact

The vulnerability in pnpm allows attackers to bypass build approvals and execute unauthorized attacker-controlled lifecycle scripts during builds by exploiting manifest identity spoofing. This can lead to unauthorized code execution and potential compromise of the build environment.

Such unauthorized execution and potential compromise could impact the confidentiality, integrity, and availability of software supply chains, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of data and system integrity.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart