Detections
Analytics

SCA: security update for pnpm (GHSA-54hh-g5mx-jqcp)

medium Tenable Cloud Security Plugin ID 444045

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - pnpm is a package manager. Prior to 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new
 remote package content after detecting that the downloaded tarball does not match the integrity recorded
 in pnpm-lock.yaml. When a package is already locked with an integrity value, and the registry later serves
 different metadata and tarball content for the same package name and version, pnpm initially reports an
 integrity mismatch. However, plain pnpm install then performs a resolution repair, accepts the registry's
 new integrity, updates the lockfile, installs the new content, and exits successfully. This means the
 lockfile integrity check does not act as a hard stop by default. This vulnerability is fixed in 10.34.0
 and 11.4.0. (CVE-2026-50573)

Solution

Update the pnpm library and its related packages to version 10.34.0 or later.

See Also

https://github.com/advisories/GHSA-54hh-g5mx-jqcp

Plugin Details

Severity: Medium

ID: 444045

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2026-50573

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/25/2026

Reference Information

CVE: CVE-2026-50573

cwe: CWE-345