CVE-2026-55487 in pnpm
Summary
by MITRE • 06/25/2026
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The pnpm package manager suffered from a critical normalization vulnerability that affected versions prior to 10.34.2 and 11.5.3, creating a potential security risk through improper handling of locator strings during dependency resolution. This flaw specifically impacted the generic peer-suffix normalizer component which was responsible for processing various types of package locators including git repositories, URLs, tarball references, file paths, and other opaque locator formats that are commonly used in package management workflows. The vulnerability stemmed from an overly aggressive normalization process that stripped parenthesized text from these locator strings regardless of their context or intended purpose within the dependency resolution system.
The technical flaw created a dangerous condition where two distinct attacker-controlled sources could potentially be treated as equivalent if they normalized to identical values through this flawed processing mechanism. When the normalizer encountered locators containing parenthesized content, it would systematically remove these elements from the string representation, effectively allowing malicious actors to craft different source specifications that would resolve to the same normalized value. This normalization behavior opened up possibilities for supply chain attacks where an attacker could submit a legitimate-looking package reference that would be accepted by the system but would actually resolve to a different malicious component due to the stripped parenthesized content being part of the authenticator or identifier logic.
The operational impact of this vulnerability extends beyond simple dependency resolution issues and represents a significant risk to software supply chain security. Attackers could exploit this weakness to bypass security controls designed to prevent the installation of packages from unauthorized sources, potentially allowing malicious code to be introduced into development environments and production systems without proper authorization checks. The vulnerability affects the core package management functionality that is fundamental to modern software development workflows, making it particularly dangerous as it operates at a foundational level in the dependency resolution pipeline.
This security issue aligns with CWE-254, which addresses weaknesses in the normalization of input data, and demonstrates characteristics consistent with software supply chain attacks that leverage normalization flaws to circumvent validation controls. The fix implemented in versions 10.34.2 and 11.5.3 specifically addresses this normalization behavior by ensuring that parenthesized text within locator strings is preserved during the normalizing process, preventing the scenario where different sources could be treated as equivalent due to aggressive content stripping. Organizations using pnpm should immediately upgrade to these patched versions to mitigate the risk of supply chain compromise and ensure proper validation of package sources throughout their dependency resolution processes. The vulnerability also relates to ATT&CK technique T1195.002 which covers supplying chain compromises through tampering with build systems or package repositories, emphasizing the importance of maintaining integrity in package management workflows.
The remediation approach required changes to how pnpm handles locator normalization, specifically modifying the peer-suffix normalizer to preserve parenthesized content that might be significant for authenticating or identifying specific package sources. This fix ensures that the system maintains the semantic meaning of locator strings while still providing necessary normalization for compatibility purposes, preventing attackers from exploiting the normalization process to substitute one legitimate-looking source for another. The updated implementation maintains security controls while preserving functional compatibility with existing package management workflows.