GHSA-HG3W-7F8C-63HP
Vulnerability from github – Published: 2026-06-26 21:49 – Updated: 2026-06-26 21:49
VLAI
Summary
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Details
Summary
A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile.
Details
The lockfile does not store the hash of the dependencies from https://codeload.github.com
This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies.
PoC
> pnpm -v
10.28.2
Given the following package.json:
{
"dependencies": {
"add": "git://github.com/dsherret/npm-git-dep.git#b3eeb9b"
}
}
This produces a lockfile like so:
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
importers:
.:
dependencies:
add:
specifier: git://github.com/dsherret/npm-git-dep.git#b3eeb9b
version: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b
packages:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b:
resolution: {tarball: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b}
version: 1.0.0
snapshots:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: {}
Notice that there is no hash. The b3eeb9b is not sufficient because I can configure my machine to resolve a compromised tarball from that url (I tested it out and pnpm just installs it).
Impact
Anyone relying on github git dependencies.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.33.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48995"
],
"database_specific": {
"cwe_ids": [
"CWE-353"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:49:22Z",
"nvd_published_at": "2026-06-25T18:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA malicious `codeload.github.com` server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile.\n\n### Details\n\nThe lockfile does not store the hash of the dependencies from https://codeload.github.com\n\nThis means that if this server was compromised or a person\u0027s machine configuration was compromised, pnpm would download and install these dependencies.\n\n### PoC\n\n```sh\n\u003e pnpm -v \n10.28.2\n```\n\nGiven the following package.json:\n\n```json\n{\n \"dependencies\": {\n \"add\": \"git://github.com/dsherret/npm-git-dep.git#b3eeb9b\"\n }\n}\n```\n\nThis produces a lockfile like so:\n\n```yaml\nlockfileVersion: \u00279.0\u0027\n\nsettings:\n autoInstallPeers: true\n excludeLinksFromLockfile: false\n\nimporters:\n\n .:\n dependencies:\n add:\n specifier: git://github.com/dsherret/npm-git-dep.git#b3eeb9b\n version: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b\n\npackages:\n\n add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b:\n resolution: {tarball: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b}\n version: 1.0.0\n\nsnapshots:\n\n add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: {}\n```\n\nNotice that there is no hash. The `b3eeb9b` is not sufficient because I can configure my machine to resolve a compromised tarball from that url (I tested it out and pnpm just installs it).\n\n### Impact\n\nAnyone relying on github git dependencies.",
"id": "GHSA-hg3w-7f8c-63hp",
"modified": "2026-06-26T21:49:22Z",
"published": "2026-06-26T21:49:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48995"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…