CVE-2026-55697 | pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm… | CVSS 7.5 HIGH

Description

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.

Metadata

CVE ID: CVE-2026-55697
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-17 00:13 UTC
Published: 2026-06-25 16:42 UTC
Last updated: 2026-06-25 16:42 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: pnpm / pnpm
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
pnpm	pnpm	—	< 10.34.2, >= 11.0.0, < 11.5.3

Weakness (CWE)

CWE	Source	Description
CWE-494	cna	CWE-494: Download of Code Without Integrity Check
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-829	cna	CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (1)

https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x https://github.com/pnpm/pnpm/security/advisories/GHSA-gj8w-mvpf-x27x