ГлавнаяУязвимости → CVE-2026-48995
7.5высокая

CVE-2026-48995

Описание

pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7.

Затрагиваемое ПО
Pnpm Pnpm
CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Источники
https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hphttps://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp