pnpm
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting pnpmpage 1 of 1
- CVE-2022-26183HIGHCVSS 8.8EG 8.8✓ Fixed in 6.15.12022-03-21
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs whe…
- CVE-2023-37478HIGHCVSS 7.5EG 7.5✓ Fixed in 8.6.82023-08-01
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package th…
- CVE-2024-47829MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.0.02025-04-23
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different librarie…
- CVE-2024-53866CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.15.02024-12-10
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and install…
- CVE-2025-69263HIGHCVSS 7.5EG 7.5✓ Fixed in 10.26.02026-01-07
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a…
- CVE-2025-69264HIGHCVSS 8.8EG 8.8✓ Fixed in 10.26.02026-01-07
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". Whil…
- CVE-2026-23888MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.12026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) …
- CVE-2026-23890MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.12026-01-26
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypa…
- CVE-2026-24056MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.28.22026-01-26
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package cont…
Check whether pnpm is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pnpm CVEs against the assets you own.
Start Free Scan →