CVE-2026-48995 in pnpm
Summary
by MITRE • 06/25/2026
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability represents a critical supply chain security flaw in pnpm package manager that undermines the integrity of dependency resolution through GitHub repositories. The issue stems from the absence of cryptographic verification mechanisms for dependencies sourced from codeload.github.com, creating an attack surface where malicious actors can substitute legitimate packages with compromised ones without detection. When pnpm processes package installations from GitHub URLs, it relies solely on the lockfile for version specification but fails to validate the cryptographic hash of downloaded tarballs against the expected values stored in the lockfile. This design gap allows adversaries to compromise the codeload.github.com server or exploit machine configuration vulnerabilities to serve malicious content that will be silently installed by pnpm installations.
The technical flaw manifests as a failure in the package integrity verification process, where pnpm operates under the assumption that GitHub repositories provide authentic content without implementing additional security checks. This vulnerability directly relates to CWE-494 which describes "Download of Code Without Integrity Check" and aligns with ATT&CK technique T1133 which covers "External Remote Services" and T1059.2.001 which addresses "Command and Scripting Interpreter: Visual Basic". The root cause lies in the absence of content addressable storage verification where each dependency should be cryptographically validated against its expected hash value before installation occurs.
The operational impact of this vulnerability extends beyond simple package substitution to encompass complete system compromise scenarios. An attacker who gains control over codeload.github.com or can manipulate network traffic between the client and GitHub servers can replace legitimate packages with malicious versions containing backdoors, credential stealers, or other harmful payloads. This threat is particularly severe because developers often trust their lockfiles as the authoritative source of dependency integrity, making this vulnerability especially dangerous in automated deployment environments where pnpm executes without manual intervention. The vulnerability affects all versions prior to 10.33.4 and 11.0.7, leaving extensive user bases exposed to potential supply chain attacks.
Mitigation strategies must address both immediate protection and long-term security improvements. Users should immediately upgrade to pnpm versions 10.33.4 or 11.0.7 where the vulnerability has been patched through implementation of cryptographic hash verification for GitHub dependencies. Organizations should implement network monitoring to detect unusual traffic patterns related to GitHub downloads and consider deploying additional security controls such as artifact repositories with integrity verification. The fix addresses this issue by incorporating SHA-256 hash validation during dependency installation, ensuring that downloaded tarballs match expected cryptographic signatures stored in the lockfile. Security teams should also establish regular audits of their dependency trees and implement software composition analysis tools to detect potentially compromised packages in their ecosystems. This vulnerability underscores the critical importance of implementing robust integrity verification mechanisms in package managers as a fundamental security control against supply chain attacks.