Description
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
Severity (CVSS)
| Base score | 6.9 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-200 — CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-522 — CWE-522: Insufficiently Protected Credentials
Affected products
| Vendor | Product | Versions |
|---|---|---|
| pnpm | pnpm | < 10.33.4; >= 11.0.0, < 11.4.0 |
References
- https://github.com/pnpm/pnpm/security/advisories/GHSA-cjhr-43r9-cfmw (x_refsource_CONFIRM)
Generated from the official CVE List on 26 Jun 2026 07:05 UTC.