Vulnerability-Lookup

CVE-2026-55698 (GCVE-0-2026-55698)

Vulnerability from cvelistv5 – Published: 2026-06-25 16:43 – Updated: 2026-06-26 03:56

Title

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

Summary

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-345 - Insufficient Verification of Data Authenticity
CWE-494 - Download of Code Without Integrity Check
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/pnpm/pnpm/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
pnpm	pnpm	Affected: < 10.34.2 Affected: >= 11.0.0, < 11.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55698",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T03:56:12.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pnpm",
          "vendor": "pnpm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.34.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 11.0.0, \u003c 11.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-494",
              "description": "CWE-494: Download of Code Without Integrity Check",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T16:43:47.251Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp"
        }
      ],
      "source": {
        "advisory": "GHSA-w466-c33r-3gjp",
        "discovery": "UNKNOWN"
      },
      "title": "pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55698",
    "datePublished": "2026-06-25T16:43:47.251Z",
    "dateReserved": "2026-06-17T00:13:10.651Z",
    "dateUpdated": "2026-06-26T03:56:12.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55698",
      "date": "2026-06-27",
      "epss": "0.00171",
      "percentile": "0.06722"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55698\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T02:08:52.748081Z\"}}}], \"references\": [{\"url\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T02:09:17.743Z\"}}], \"cna\": {\"title\": \"pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes\", \"source\": {\"advisory\": \"GHSA-w466-c33r-3gjp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pnpm\", \"product\": \"pnpm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.34.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 11.0.0, \u003c 11.5.3\"}]}], \"references\": [{\"url\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp\", \"name\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-494\", \"description\": \"CWE-494: Download of Code Without Integrity Check\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-829\", \"description\": \"CWE-829: Inclusion of Functionality from Untrusted Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-25T16:43:47.251Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55698\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T03:56:12.858Z\", \"dateReserved\": \"2026-06-17T00:13:10.651Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-25T16:43:47.251Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-W466-C33R-3GJP

Vulnerability from github – Published: 2026-06-26 23:34 – Updated: 2026-06-26 23:34

Summary

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

Details

Maintainer Action Plan

This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.

Advisory: CAND-PNPM-063 / GHSA-w466-c33r-3gjp
Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp
Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
Shared patch branch: security/ghsa-batch-2026-06-09
Patch commit: a93449314f398cf4bdf2e28d033c02d37395ad22
Base commit: origin/main 55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec
Maintainer priority: start-here
Component: pnpm packageManager env lockfile
Patch area: package-manager env lockfile is re-resolved through trusted registries before execution
Affected packages: npm:pnpm, npm:@pnpm/installing.env-installer
CWE IDs: CWE-829, CWE-494, CWE-345
Conservative CVSS: 8.8 / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.

Expected Patched Behavior

Committed env-lockfile package-manager entries are force-refreshed through trusted registries before execution; attacker tarball requests and markers stay at zero.

Files And Tests To Review

installing/env-installer/src/resolvePackageManagerIntegrities.ts
pnpm/src/switchCliVersion.ts
pnpm/src/switchCliVersion.test.ts
.changeset/clean-package-manager-registries.md

Focused Validation

Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.

./node_modules/.bin/tsgo --build installing/env-installer/tsconfig.json
./node_modules/.bin/tsgo --build pnpm/tsconfig.json
PNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../node_modules/.bin/jest src/switchCliVersion.test.ts -t "re-resolved package-manager lockfile" --runInBand
PNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../node_modules/.bin/jest src/switchCliVersion.test.ts src/syncEnvLockfile.test.ts --runInBand
./node_modules/.bin/eslint installing/env-installer/src/resolvePackageManagerIntegrities.ts pnpm/src/switchCliVersion.ts pnpm/src/switchCliVersion.test.ts
git diff --check

The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-063-patched-result.json.

Summary

pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching.

Details

The vulnerable source-to-sink path was:

lockfile/fs/src/envLockfile.ts reads the repository's first YAML lockfile document and validates shape only.
pnpm/src/main.ts reaches switchCliVersion() when a direct pnpm invocation sees a wanted pnpm package manager with onFail=download.
pnpm/src/switchCliVersion.ts reads the committed env lockfile when package-manager metadata should be persisted.
installing/env-installer/src/resolvePackageManagerIntegrities.ts treated packageManagerDependencies as resolved when only the pnpm and @pnpm/exe versions matched.
engine/pm/commands/src/self-updater/installPnpm.ts converts env-lockfile snapshots and packages into the wanted lockfile used by headlessInstall().
pnpm/src/switchCliVersion.ts executes the installed pnpm binary with spawn.sync().

The helper fast path is intentionally still version-based for non-execution callers, so the security boundary is enforced at the execution path: switchCliVersion() now re-resolves already present package-manager env-lockfile entries before they can reach installPnpmToStore() and spawn.sync().

PoC

Standalone PoC and verification script:

The PoC constructs a committed env-lockfile object with matching package-manager dependency versions and attacker-selected package metadata:

{
  "importers": {
    ".": {
      "configDependencies": {},
      "packageManagerDependencies": {
        "@pnpm/exe": { "specifier": "9.3.0", "version": "9.3.0" },
        "pnpm": { "specifier": "9.3.0", "version": "9.3.0" }
      }
    }
  },
  "lockfileVersion": "9.0",
  "packages": {
    "/pnpm@9.3.0": {
      "resolution": {
        "integrity": "sha512-poisoned"
      }
    }
  },
  "snapshots": {
    "/pnpm@9.3.0": {}
  }
}

Pre-patch exploit model:

The victim runs pnpm directly in a malicious repository.
The requested package-manager version differs from the currently running pnpm.
pnpm enters switchCliVersion() and reads the committed env lockfile.
Matching pnpm / @pnpm/exe versions short-circuit package-manager resolution.
pnpm installs from the committed env-lockfile package records and executes the resulting pnpm binary.

Observed primitive proof from the PoC:

{
  "primitive": "unforced resolver reuses already-resolved env lockfile metadata",
  "isResolvedByVersionOnly": true,
  "reusedPoisonedIntegrity": true
}

The same script then runs the patched switchCliVersion regression. The regression seeds a poisoned committed env lockfile, has the resolver return a trusted replacement lockfile, and asserts installPnpmToStore() receives the trusted lockfile rather than the committed one. This would fail on the vulnerable control flow because the resolver was not called and the committed lockfile reached the installer.

Focused validation commands:

./node_modules/.bin/tsgo --build installing/env-installer/tsconfig.json
./node_modules/.bin/tsgo --build pnpm/tsconfig.json
PNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../node_modules/.bin/jest src/switchCliVersion.test.ts -t "re-resolved package-manager lockfile" --runInBand
PNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../node_modules/.bin/jest src/switchCliVersion.test.ts src/syncEnvLockfile.test.ts --runInBand
./node_modules/.bin/eslint installing/env-installer/src/resolvePackageManagerIntegrities.ts pnpm/src/switchCliVersion.ts pnpm/src/switchCliVersion.test.ts
git diff --check

Validation result:

The PoC confirmed the unforced resolver still reuses a version-matching env lockfile, proving the original primitive.
Patched switchCliVersion() calls resolvePackageManagerIntegrities() with force: true when committed env-lockfile package-manager entries already satisfy the requested version.
Patched switchCliVersion() assigns the resolver return value back to envLockfile.
The installer receives the refreshed lockfile and not the poisoned committed lockfile.
TypeScript builds passed for @pnpm/installing.env-installer and pnpm.
The focused Jest regression passed: 1 passed, 1 skipped in switchCliVersion.test.ts.
ESLint passed for the affected package-manager switch files.
git diff --check passed.

Impact

A malicious repository can cause arbitrary package-manager code execution in the victim's developer or CI environment before normal command handling continues. That code executes with the victim user's privileges and can read local secrets, alter project files, mutate dependency state, or run further commands.

Affected products

Ecosystem: npm

Package name: pnpm, @pnpm/installing.env-installer

Affected versions: current main before this patch; direct pnpm execution with package-manager auto-switching and a repository-controlled env lockfile.

Patched versions: pending release containing this patch.

Severity

Severity: High

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base score: 8.8

Rationale: the malicious source is repository-controlled package-manager lockfile state delivered through normal supply-chain channels. Exploitation is low complexity once the victim runs pnpm directly, no attacker privileges are required, and user interaction is required. Successful exploitation executes attacker-selected package-manager code in the victim user's security context, with high confidentiality, integrity, and availability impact.

Weaknesses

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CWE-494: Download of Code Without Integrity Check

CWE-345: Insufficient Verification of Data Authenticity

Patch

The patch makes automatic package-manager switching re-resolve repository-provided bootstrap metadata before install and execution:

resolvePackageManagerIntegrities() accepts force, which bypasses the version-only fast path.
switchCliVersion() creates a store controller even when the committed env lockfile already contains satisfying package-manager dependency versions.
switchCliVersion() calls resolvePackageManagerIntegrities() with force: true for already resolved package-manager entries.
switchCliVersion() assigns the returned env lockfile back to envLockfile, so installPnpmToStore() installs from freshly resolved metadata.
The package-manager bootstrap registry hardening from CAND-PNPM-061 is reused, so the refresh happens through trusted package-manager registries rather than repository workspace registries.

Changed files:

installing/env-installer/src/resolvePackageManagerIntegrities.ts
pnpm/src/switchCliVersion.ts
pnpm/src/switchCliVersion.test.ts

Changeset:

.changeset/clean-package-manager-registries.md

Pacquet parity:

No pacquet-side patch is required for this finding because pacquet does not implement pnpm's package-manager auto-switch path or installPnpmToStore().

CVSS Reassessment

Initial CVSS remains correct for vulnerable versions: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H / 8.8 High.

Final CVSS after patch: not vulnerable after patch / 0.0. The PoC still demonstrates the underlying unforced env-lockfile reuse primitive, but the patched execution path force-refreshes package-manager metadata through trusted bootstrap registries before install or execution.

Remaining Risk

The helper resolvePackageManagerIntegrities() still has an unforced fast path that treats matching pnpm and @pnpm/exe versions as resolved. Current execution-sensitive callers either use trusted roots/registries or pass through the patched switchCliVersion() boundary, but future execution paths should use force: true before installing or executing package-manager bytes from repository-provided env-lockfile metadata.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-494",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:34:06Z",
    "nvd_published_at": "2026-06-25T18:16:40Z",
    "severity": "HIGH"
  },
  "details": "\u003c!-- maintainer-action:start --\u003e\n## Maintainer Action Plan\n\nThis report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.\n\n- Advisory: `CAND-PNPM-063` / `GHSA-w466-c33r-3gjp`\n- Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp\n- Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1\n- Shared patch branch: `security/ghsa-batch-2026-06-09`\n- Patch commit: `a93449314f398cf4bdf2e28d033c02d37395ad22`\n- Base commit: `origin/main` `55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec`\n- Maintainer priority: `start-here`\n- Component: `pnpm packageManager env lockfile`\n- Patch area: package-manager env lockfile is re-resolved through trusted registries before execution\n- Affected packages: `npm:pnpm`, `npm:@pnpm/installing.env-installer`\n- CWE IDs: `CWE-829`, `CWE-494`, `CWE-345`\n- Conservative CVSS: `8.8` / `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`\n- Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.\n\n### Expected Patched Behavior\n\nCommitted env-lockfile package-manager entries are force-refreshed through trusted registries before execution; attacker tarball requests and markers stay at zero.\n\n### Files And Tests To Review\n\n- `installing/env-installer/src/resolvePackageManagerIntegrities.ts`\n- `pnpm/src/switchCliVersion.ts`\n- `pnpm/src/switchCliVersion.test.ts`\n- `.changeset/clean-package-manager-registries.md`\n\n### Focused Validation\n\nRun these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.\n\n```bash\n./node_modules/.bin/tsgo --build installing/env-installer/tsconfig.json\n./node_modules/.bin/tsgo --build pnpm/tsconfig.json\nPNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../node_modules/.bin/jest src/switchCliVersion.test.ts -t \"re-resolved package-manager lockfile\" --runInBand\nPNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../node_modules/.bin/jest src/switchCliVersion.test.ts src/syncEnvLockfile.test.ts --runInBand\n./node_modules/.bin/eslint installing/env-installer/src/resolvePackageManagerIntegrities.ts pnpm/src/switchCliVersion.ts pnpm/src/switchCliVersion.test.ts\ngit diff --check\n```\n\nThe full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate\u0027s replay evidence is `results/CAND-PNPM-063-patched-result.json`.\n\u003c!-- maintainer-action:end --\u003e\n\n### Summary\n\npnpm can persist package-manager bootstrap metadata in the first YAML document of `pnpm-lock.yaml`. Before the patch, direct pnpm execution trusted an already resolved `packageManagerDependencies` entry when the committed env lockfile contained matching `pnpm` and `@pnpm/exe` versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching.\n\n### Details\n\nThe vulnerable source-to-sink path was:\n\n- `lockfile/fs/src/envLockfile.ts` reads the repository\u0027s first YAML lockfile document and validates shape only.\n- `pnpm/src/main.ts` reaches `switchCliVersion()` when a direct pnpm invocation sees a wanted `pnpm` package manager with `onFail=download`.\n- `pnpm/src/switchCliVersion.ts` reads the committed env lockfile when package-manager metadata should be persisted.\n- `installing/env-installer/src/resolvePackageManagerIntegrities.ts` treated `packageManagerDependencies` as resolved when only the `pnpm` and `@pnpm/exe` versions matched.\n- `engine/pm/commands/src/self-updater/installPnpm.ts` converts env-lockfile `snapshots` and `packages` into the wanted lockfile used by `headlessInstall()`.\n- `pnpm/src/switchCliVersion.ts` executes the installed `pnpm` binary with `spawn.sync()`.\n\nThe helper fast path is intentionally still version-based for non-execution callers, so the security boundary is enforced at the execution path: `switchCliVersion()` now re-resolves already present package-manager env-lockfile entries before they can reach `installPnpmToStore()` and `spawn.sync()`.\n\n### PoC\n\nStandalone PoC and verification script:\n\nThe PoC constructs a committed env-lockfile object with matching package-manager dependency versions and attacker-selected package metadata:\n\n```json\n{\n  \"importers\": {\n    \".\": {\n      \"configDependencies\": {},\n      \"packageManagerDependencies\": {\n        \"@pnpm/exe\": { \"specifier\": \"9.3.0\", \"version\": \"9.3.0\" },\n        \"pnpm\": { \"specifier\": \"9.3.0\", \"version\": \"9.3.0\" }\n      }\n    }\n  },\n  \"lockfileVersion\": \"9.0\",\n  \"packages\": {\n    \"/pnpm@9.3.0\": {\n      \"resolution\": {\n        \"integrity\": \"sha512-poisoned\"\n      }\n    }\n  },\n  \"snapshots\": {\n    \"/pnpm@9.3.0\": {}\n  }\n}\n```\n\nPre-patch exploit model:\n\n1. The victim runs pnpm directly in a malicious repository.\n2. The requested package-manager version differs from the currently running pnpm.\n3. pnpm enters `switchCliVersion()` and reads the committed env lockfile.\n4. Matching `pnpm` / `@pnpm/exe` versions short-circuit package-manager resolution.\n5. pnpm installs from the committed env-lockfile package records and executes the resulting `pnpm` binary.\n\nObserved primitive proof from the PoC:\n\n```json\n{\n  \"primitive\": \"unforced resolver reuses already-resolved env lockfile metadata\",\n  \"isResolvedByVersionOnly\": true,\n  \"reusedPoisonedIntegrity\": true\n}\n```\n\nThe same script then runs the patched `switchCliVersion` regression. The regression seeds a poisoned committed env lockfile, has the resolver return a trusted replacement lockfile, and asserts `installPnpmToStore()` receives the trusted lockfile rather than the committed one. This would fail on the vulnerable control flow because the resolver was not called and the committed lockfile reached the installer.\n\nFocused validation commands:\n\n```bash\n./node_modules/.bin/tsgo --build installing/env-installer/tsconfig.json\n./node_modules/.bin/tsgo --build pnpm/tsconfig.json\nPNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../node_modules/.bin/jest src/switchCliVersion.test.ts -t \"re-resolved package-manager lockfile\" --runInBand\nPNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../node_modules/.bin/jest src/switchCliVersion.test.ts src/syncEnvLockfile.test.ts --runInBand\n./node_modules/.bin/eslint installing/env-installer/src/resolvePackageManagerIntegrities.ts pnpm/src/switchCliVersion.ts pnpm/src/switchCliVersion.test.ts\ngit diff --check\n```\n\nValidation result:\n\n- The PoC confirmed the unforced resolver still reuses a version-matching env lockfile, proving the original primitive.\n- Patched `switchCliVersion()` calls `resolvePackageManagerIntegrities()` with `force: true` when committed env-lockfile package-manager entries already satisfy the requested version.\n- Patched `switchCliVersion()` assigns the resolver return value back to `envLockfile`.\n- The installer receives the refreshed lockfile and not the poisoned committed lockfile.\n- TypeScript builds passed for `@pnpm/installing.env-installer` and `pnpm`.\n- The focused Jest regression passed: 1 passed, 1 skipped in `switchCliVersion.test.ts`.\n- ESLint passed for the affected package-manager switch files.\n- `git diff --check` passed.\n\n### Impact\n\nA malicious repository can cause arbitrary package-manager code execution in the victim\u0027s developer or CI environment before normal command handling continues. That code executes with the victim user\u0027s privileges and can read local secrets, alter project files, mutate dependency state, or run further commands.\n\n## Affected products\n\nEcosystem: npm\n\nPackage name: `pnpm`, `@pnpm/installing.env-installer`\n\nAffected versions: current main before this patch; direct pnpm execution with package-manager auto-switching and a repository-controlled env lockfile.\n\nPatched versions: pending release containing this patch.\n\n## Severity\n\nSeverity: High\n\nVector string: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`\n\nBase score: 8.8\n\nRationale: the malicious source is repository-controlled package-manager lockfile state delivered through normal supply-chain channels. Exploitation is low complexity once the victim runs pnpm directly, no attacker privileges are required, and user interaction is required. Successful exploitation executes attacker-selected package-manager code in the victim user\u0027s security context, with high confidentiality, integrity, and availability impact.\n\n## Weaknesses\n\nCWE-829: Inclusion of Functionality from Untrusted Control Sphere\n\nCWE-494: Download of Code Without Integrity Check\n\nCWE-345: Insufficient Verification of Data Authenticity\n\n## Patch\n\nThe patch makes automatic package-manager switching re-resolve repository-provided bootstrap metadata before install and execution:\n\n- `resolvePackageManagerIntegrities()` accepts `force`, which bypasses the version-only fast path.\n- `switchCliVersion()` creates a store controller even when the committed env lockfile already contains satisfying package-manager dependency versions.\n- `switchCliVersion()` calls `resolvePackageManagerIntegrities()` with `force: true` for already resolved package-manager entries.\n- `switchCliVersion()` assigns the returned env lockfile back to `envLockfile`, so `installPnpmToStore()` installs from freshly resolved metadata.\n- The package-manager bootstrap registry hardening from CAND-PNPM-061 is reused, so the refresh happens through trusted package-manager registries rather than repository workspace registries.\n\nChanged files:\n\n- `installing/env-installer/src/resolvePackageManagerIntegrities.ts`\n- `pnpm/src/switchCliVersion.ts`\n- `pnpm/src/switchCliVersion.test.ts`\n\nChangeset:\n\n- `.changeset/clean-package-manager-registries.md`\n\nPacquet parity:\n\nNo pacquet-side patch is required for this finding because pacquet does not implement pnpm\u0027s package-manager auto-switch path or `installPnpmToStore()`.\n\n## CVSS Reassessment\n\nInitial CVSS remains correct for vulnerable versions: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` / 8.8 High.\n\nFinal CVSS after patch: not vulnerable after patch / 0.0. The PoC still demonstrates the underlying unforced env-lockfile reuse primitive, but the patched execution path force-refreshes package-manager metadata through trusted bootstrap registries before install or execution.\n\n## Remaining Risk\n\nThe helper `resolvePackageManagerIntegrities()` still has an unforced fast path that treats matching `pnpm` and `@pnpm/exe` versions as resolved. Current execution-sensitive callers either use trusted roots/registries or pass through the patched `switchCliVersion()` boundary, but future execution paths should use `force: true` before installing or executing package-manager bytes from repository-provided env-lockfile metadata.",
  "id": "GHSA-w466-c33r-3gjp",
  "modified": "2026-06-26T23:34:06Z",
  "published": "2026-06-26T23:34:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-w466-c33r-3gjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55698"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-55698 (GCVE-0-2026-55698)

GHSA-W466-C33R-3GJP

Maintainer Action Plan

Expected Patched Behavior

Files And Tests To Review

Focused Validation

Summary

Details

PoC

Impact

Affected products

Severity

Weaknesses

Patch

CVSS Reassessment

Remaining Risk

Tags

Sightings

Nomenclature