pnpm Lockfile Integrity Bypass Vulnerability Allowing Remote Dynamic Dependencies

A vulnerability exists in pnpm, a package manager, in versions prior to 10.26.0. The issue arises because HTTP tarball dependencies, including those hosted on Git, are stored in the lockfile without integrity hashes. This omission allows remote servers to deliver different content with each installation, even when a lockfile is committed. As a result, an attacker could publish a package that serves varying code to different users or CI/CD environments. The vulnerability requires the victim to install a package with an HTTP or Git tarball dependency, and the lack of integrity verification in the lockfile leaves users unprotected.

Impact

Exploitation of this vulnerability could lead to a bypass of lockfile integrity checks, allowing for the introduction of malicious code into projects or environments that install affected packages. This could facilitate targeted attacks, evasion of security audits, or supply chain attacks where the nature of the delivered code changes over time.

Reproduction

To reproduce this vulnerability, publish a package that includes an HTTP tarball dependency or a Git dependency (such as a Git URL or Git shorthand). When this package is installed in a project with pnpm versions prior to 10.26.0, the tarball will be fetched without an integrity hash. After the initial installation, use 'pnpm store prune' to clean the global virtual store, and then reinstall the package. The absence of an integrity hash allows different versions of the tarball to be downloaded on each install, demonstrating the vulnerability.

Remediation

Users can upgrade to pnpm version 10.26.0 or later, where this vulnerability has been fixed.