<Vulnerability name="CVE-2026-55487">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-25T16:41:12</PublicDate>
    <Bugzilla id="2493035" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493035" xml:lang="en:us">
pnpm: pnpm: Supply chain compromise via manipulated package source strings
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-140</CWE>
    <Details xml:lang="en:us" source="Mitre">
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to bypass security checks by manipulating how package source strings are processed. By crafting a specially designed source string, an attacker could trick the system into approving and using a malicious package instead of the intended one. This could lead to the execution of unauthorized code or the installation of harmful software, severely impacting the confidentiality, integrity, and availability of the system.
    </Details>
    <Statement xml:lang="en:us">
This Important vulnerability in pnpm allows an attacker to bypass security checks by manipulating package source strings. This could lead to the execution of unauthorized code or the installation of malicious software. The flaw arises from the package manager's normalization of opaque locators, where an approved source string could inadvertently authorize a different, attacker-controlled source.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55487
https://nvd.nist.gov/vuln/detail/CVE-2026-55487
https://github.com/pnpm/pnpm/security/advisories/GHSA-5wx6-mg75-v57r
    </References>
</Vulnerability>