CVE-2026-55180
Undergoing Analysis Undergoing Analysis - In Progress
Environment Variable Injection in pnpm Package Manager

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55180
EUVD
EUVD-2026-39498
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 11.5.3 (exc)
pnpm pnpm From 11.0.0 (inc) to 11.5.3 (inc)
pnpm pacquet From 11.0.0 (inc) to 11.5.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows a malicious repository to exfiltrate sensitive environment secrets, such as CI job tokens or npm tokens, to an attacker-controlled registry. Such unauthorized disclosure of sensitive information could lead to violations of data protection standards and regulations that require safeguarding of confidential data.

Because environment secrets may include credentials or tokens that could be linked to personal or organizational data, their leakage could impact compliance with regulations like GDPR or HIPAA, which mandate strict controls over access and disclosure of sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to the potential unauthorized exposure of sensitive environment data.

Executive Summary

This vulnerability affects the pnpm package manager. Before versions 10.34.2 and 11.5.3, pnpm and pacquet would expand environment variable placeholders (${ENV_VAR}) found in repository-controlled configuration files (.npmrc and pnpm-workspace.yaml) into registry request destinations and credentials.

Because these placeholders could include sensitive environment secrets, a malicious repository could exploit this behavior to send those secrets to an attacker-controlled registry during dependency resolution, before any lifecycle scripts run.

This means that simply by depending on a malicious repository, a user could unintentionally leak sensitive environment variables to an attacker.

Impact Analysis

The vulnerability can lead to the unintended disclosure of sensitive environment secrets to an attacker-controlled registry.

This could compromise confidential information such as API keys, tokens, or other environment variables that are used during package installation.

Such a leak could enable attackers to gain unauthorized access to systems or services, potentially leading to further security breaches.

Mitigation Strategies

To mitigate this vulnerability, update pnpm to version 10.34.2 or later, or 11.5.3 or later, where the issue is fixed.

Detection Guidance

To detect this vulnerability on your system, you should first check the version of pnpm or pacquet installed to see if it is prior to the fixed versions 10.34.2 or 11.5.3.

  • Run `pnpm --version` to determine the installed pnpm version.

Additionally, inspect your project-level configuration files (.npmrc and pnpm-workspace.yaml) for any usage of environment variable placeholders like ${ENV_VAR}, especially in registry URLs or authentication credentials.

  • Use commands like `grep -r '\${' .npmrc pnpm-workspace.yaml` in your project directory to find environment variable placeholders.

On the network level, monitor outgoing requests from your build or development environment to detect any unexpected registry destinations that might be attacker-controlled.

  • Use network monitoring tools or commands such as `tcpdump` or `wireshark` to capture and analyze registry request destinations for suspicious URLs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart