CVE-2025-69263

HIGH7.5EPSS 0.01%

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Published: 1/7/2026Modified: 2/3/2026
Also known as:GHSA-7vhp-vf5g-r2fw

Description

### Summary HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. ### Details When a package depends on an HTTP tarball URL, pnpm's tarball resolver returns only the URL without computing an integrity hash: `resolving/tarball-resolver/src/index.ts`: ```javascript return { resolution: { tarball: resolvedUrl, // No integrity field }, resolvedVia: 'url', } ``` The resulting lockfile entry has no integrity to verify: ```yaml remote-dynamic-dependency@http://example.com/pkg.tgz: resolution: {tarball: http://example.com/pkg.tgz} version: 1.0.0 ``` Since there is no integrity hash, pnpm cannot detect when the server returns different content. This affects: - HTTP/HTTPS tarball URLs (`"pkg": "https://example.com/pkg.tgz"`) - Git shorthand dependencies (`"pkg": "github:user/repo"`) - Git URLs (`"pkg": "git+https://github.com/user/repo"`) npm registry packages are not affected as they include integrity hashes from the registry metadata. ### PoC See attached [pnpm-bypass-integrity-poc.zip](https://github.com/user-attachments/files/23819648/pnpm-bypass-integrity-poc.zip) The POC includes: - A server that returns different tarball content on each request - A `malicious-package` that depends on the HTTP tarball - A `victim` project that depends on `malicious-package` To run: ```bash cd pnpm-bypass-integrity-poc ./run-poc.sh ``` The output shows that each install (with `pnpm store prune` between them) downloads different code despite having a committed lockfile. ### Impact An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. This enables: - Targeted attacks based on request metadata (IP, headers, timing) - Evasion of security audits (serve benign code during review, malicious code later) - Supply chain attacks where the malicious payload changes over time The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (4)