CNNVD-202601-1140 Information

CNNVD ID

CNNVD-202601-1140

Related CVE

CVE-2025-69263

• CNNVD Published: 2026-01-07

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 10.26.2及之前版本存在安全漏洞，该漏洞源于锁文件中存储的HTTP压缩包依赖缺少完整性哈希，可能导致服务器提供不同内容。

Description (English)

pnpm is a package manager for pnpm open source. Pnpm 10.26.2 and previous versions contain a security loophole, which stems from the fact that HTTP compressors stored in lock files rely on the lack of integrity of Hashi and may result in different content from the server.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

pnpm

Published

2026-01-07

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85 https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw https://access.redhat.com/security/cve/cve-2025-69263

Patch

https://github.com/pnpm/pnpm/releases