PatchSiren cyber security CVE debrief
CVE-2026-50573 pnpm CVE debrief
CVE-2026-50573 is a vulnerability in pnpm, a package manager used for Node.js projects. The issue arises during the installation of packages in non-frozen mode. Prior to versions 10.34.0 and 11.4.0, pnpm's install process can accept new remote package content even after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. This occurs when a package is already locked with an integrity value, but the registry later serves different metadata and tarball content for the same package name and version. Initially, pnpm reports an integrity mismatch. However, in a plain pnpm install, a resolution repair is performed, accepting the registry's new integrity, updating the lockfile, installing the new content, and exiting successfully. This means the lockfile integrity check does not act as a hard stop by default. The vulnerability is fixed in pnpm versions 10.34.0 and 11.4.0.
- Vendor
- pnpm
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-06-29
Who should care
Developers and security teams using pnpm for package management in Node.js projects should be aware of this vulnerability. Given its medium severity and potential impact on package integrity, users should prioritize updating to a fixed version of pnpm. This is particularly important for environments where package integrity and security are critical.
Technical summary
The vulnerability in pnpm allows for the bypass of package integrity checks during installation in non-frozen mode. This can lead to the installation of packages with compromised or altered content, potentially resulting in security issues within the project. The vulnerability is due to the way pnpm handles package installation and lockfile updates. Specifically, when a package's integrity is already recorded in the lockfile, but the package registry provides different content, pnpm may accept this new content without properly enforcing the integrity check. This behavior can be exploited by malicious actors to compromise package integrity.
Defensive priority
High priority should be given to updating pnpm to versions 10.34.0 or 11.4.0, or later, to ensure that package integrity checks are enforced properly. Additionally, users should review their current pnpm configurations and consider enabling frozen mode for package installations to enhance security.
Recommended defensive actions
- Update pnpm to version 10.34.0 or 11.4.0, or later.
- Review and adjust pnpm configurations to ensure package integrity checks are enforced.
- Consider enabling frozen mode for package installations.
- Monitor package registry for any suspicious activity related to installed packages.
- Perform regular security audits of project dependencies.
Evidence notes
The CVE-2026-50573 vulnerability is documented in the official CVE record and the National Vulnerability Database (NVD). The issue is also addressed in a security advisory by pnpm on GitHub. These sources provide detailed information about the vulnerability, its impact, and the fixes available.
Official resources
-
CVE-2026-50573 CVE record
CVE.org
-
CVE-2026-50573 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.