CVE-2026-55180
Analyzed Analyzed - Analysis Complete

Environment Variable Injection in pnpm Package Manager

Vulnerability report for CVE-2026-55180, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm to 10.34.2 (exc)
pnpm pnpm From 11.0.0 (inc) to 11.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

To detect this vulnerability on your system, you should first check the version of pnpm or pacquet installed to see if it is prior to the fixed versions 10.34.2 or 11.5.3.

  • Run `pnpm --version` to determine the installed pnpm version.

Additionally, inspect your project-level configuration files (.npmrc and pnpm-workspace.yaml) for any usage of environment variable placeholders like ${ENV_VAR}, especially in registry URLs or authentication credentials.

  • Use commands like `grep -r '\${' .npmrc pnpm-workspace.yaml` in your project directory to find environment variable placeholders.

On the network level, monitor outgoing requests from your build or development environment to detect any unexpected registry destinations that might be attacker-controlled.

  • Use network monitoring tools or commands such as `tcpdump` or `wireshark` to capture and analyze registry request destinations for suspicious URLs.
Executive Summary

This vulnerability affects the pnpm package manager. Before versions 10.34.2 and 11.5.3, pnpm and pacquet would expand environment variable placeholders (${ENV_VAR}) found in repository-controlled configuration files (.npmrc and pnpm-workspace.yaml) into registry request destinations and credentials.

Because these placeholders could include sensitive environment secrets, a malicious repository could exploit this behavior to send those secrets to an attacker-controlled registry during dependency resolution, before any lifecycle scripts run.

This means that simply by depending on a malicious repository, a user could unintentionally leak sensitive environment variables to an attacker.

Impact Analysis

The vulnerability can lead to the unintended disclosure of sensitive environment secrets to an attacker-controlled registry.

This could compromise confidential information such as API keys, tokens, or other environment variables that are used during package installation.

Such a leak could enable attackers to gain unauthorized access to systems or services, potentially leading to further security breaches.

Mitigation Strategies

To mitigate this vulnerability, update pnpm to version 10.34.2 or later, or 11.5.3 or later, where the issue is fixed.

Compliance Impact

This vulnerability allows a malicious repository to exfiltrate sensitive environment secrets, such as CI job tokens or npm tokens, to an attacker-controlled registry. Such unauthorized disclosure of sensitive information could lead to violations of data protection standards and regulations that require safeguarding of confidential data.

Because environment secrets may include credentials or tokens that could be linked to personal or organizational data, their leakage could impact compliance with regulations like GDPR or HIPAA, which mandate strict controls over access and disclosure of sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to the potential unauthorized exposure of sensitive environment data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart