Missing Support for Integrity Check Affecting pnpm package, versions <10.33.4>=11.0.0 <11.0.7


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.12% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-PNPM-17667990
  • published29 Jun 2026
  • disclosed26 Jun 2026
  • creditDavid Sherret

Introduced: 26 Jun 2026

NewCVE-2026-48995  (opens in a new tab)
CWE-353  (opens in a new tab)

How to fix?

Upgrade pnpm to version 10.33.4, 11.0.7 or higher.

Overview

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Missing Support for Integrity Check involving GitHub git dependencies, because the tarball hash for packages resolved from codeload.github.com is not recorded in the lockfile. An attacker who controls or intercepts that server can cause arbitrary tarball content to be installed in place of a GitHub git dependency, since pnpm installs whatever is delivered without validating it against a stored hash. Exploitation affects only projects that resolve dependencies as GitHub git dependencies, and it requires the attacker to compromise codeload.github.com or intercept its TLS-protected connection, the recorded git commit reference alone being insufficient to detect the substitution.

CVSS Base Scores

version 4.0
version 3.1