Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade pnpm to version 10.34.0, 11.4.0 or higher.
pnpm is a Fast, disk space efficient package manager
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the default behavior of pnpm install, which accepts tarball content that does not match the integrity value recorded in the lockfile. An attacker who controls the registry can replace the content of a previously locked package version and have it installed in place of the locked version, because on a mismatch the install reports the discrepancy, then performs automatic resolution repair, accepts the registry's new integrity, and updates the lockfile. Exploitation applies only to non-frozen installs, meaning a plain pnpm install without --frozen-lockfile, and requires the attacker to control or compromise the registry so it serves different content for an already-published version.
This vulnerability can be avoided by running installs with --frozen-lockfile (or setting frozen-lockfile in configuration), which enforces the committed lockfile integrity and rejects content that does not match.