All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-55180
MEDIUMpublished 2026-06-25 18:16 UTC · 3 days ago · modified 2026-06-25 19:16 UTC
6.5
CVSS / 10
// description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
// weaknesses (CWE)
- CWE-200
- CWE-201
- CWE-522