CVE-2026-55698
Undergoing Analysis Undergoing Analysis - In Progress
pnpm Lockfile Tampering Leading to Arbitrary Code Execution

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55698
EUVD
EUVD-2026-39484
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.2|end_excluding=11.5.3 (exc)
pnpm pnpm to 11.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the pnpm package manager trusting manipulated package-manager metadata in the pnpm-lock.yaml file. Detection involves checking for the presence of vulnerable pnpm versions and inspecting the pnpm-lock.yaml file for suspicious or malicious package-manager bootstrap metadata.

You can detect if your system is vulnerable by verifying the installed pnpm version and examining the lockfile for tampering.

  • Check pnpm version: `pnpm --version` (versions prior to 10.34.2 and between 11.0.0 and 11.5.3 are vulnerable)
  • Inspect the pnpm-lock.yaml file for suspicious entries in the first YAML document, especially the packageManagerDependencies field.
  • Use version control tools to review recent changes to pnpm-lock.yaml for unexpected or unreviewed modifications.
Executive Summary

CVE-2026-55698 is a high-severity vulnerability in the pnpm package manager affecting versions prior to 10.34.2 and 11.5.3. The issue arises because pnpm trusts package-manager bootstrap metadata stored in the first YAML document of pnpm-lock.yaml without re-resolving it through trusted registries before execution.

A malicious repository can commit a lockfile containing poisoned package records and snapshots that bypass fresh package-manager resolution. When a user runs pnpm, it installs and executes attacker-selected code during automatic version switching, using the user's privileges.

The vulnerability is fixed by forcing re-resolution of package-manager entries through trusted registries before installation and execution, preventing reuse of repository-controlled lockfile metadata.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on your system with your user privileges when you run pnpm. This can lead to full compromise of confidentiality, integrity, and availability of your environment.

  • Arbitrary code execution during automatic version switching.
  • Installation of attacker-selected pnpm binaries.
  • Potential compromise of sensitive data and system stability.
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade pnpm to a patched version where the issue is fixed.

  • Upgrade pnpm to version 10.34.2 or later, or 11.5.3 or later.
  • Avoid using pnpm versions in the vulnerable ranges: versions prior to 10.34.2 and versions between 11.0.0 and 11.5.3.
  • Review and validate the pnpm-lock.yaml file to ensure it has not been tampered with by malicious actors.
  • Consider regenerating the lockfile from a trusted source or repository.
Compliance Impact

This vulnerability allows arbitrary code execution with high impact on confidentiality, integrity, and availability. Such a compromise could lead to unauthorized access or manipulation of sensitive data, which may affect compliance with standards like GDPR and HIPAA that require protection of personal and health information.

Specifically, if exploited, the vulnerability could enable attackers to execute malicious code with user privileges, potentially leading to data breaches or system compromise that violate regulatory requirements for data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart