Insufficiently Protected Credentials Affecting pnpm package, versions <10.34.2>=11.0.0 <11.5.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.21% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-PNPM-17874446
  • published7 Jul 2026
  • disclosed25 Jun 2026
  • creditmldangelo-oai

Introduced: 25 Jun 2026

NewCVE-2026-55180  (opens in a new tab)
CWE-522  (opens in a new tab)

How to fix?

Upgrade pnpm to version 10.34.2, 11.5.3 or higher.

Overview

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Insufficiently Protected Credentials in repository-controlled configuration, where ${ENV_VAR} placeholders in a project .npmrc or pnpm-workspace.yaml are expanded into registry request destinations and credentials by the config reader (loadNpmrcFiles.ts). An attacker can exfiltrate environment secrets such as npm or CI job tokens by publishing a repository whose .npmrc places a placeholder like ${CI_JOB_TOKEN} in a registry URL or an _authToken value, which is expanded and sent to the attacker-selected registry during dependency resolution. Exploitation requires the victim to run pnpm or pacquet in the malicious repository with the referenced secret present in the environment, and the disclosure occurs before lifecycle scripts run, so --ignore-scripts does not prevent it.

CVSS Base Scores

version 4.0
version 3.1