Impact
pnpm, a popular package manager, improperly binds a user’s unscoped npm authentication token to a registry specified by a repository’s local .npmrc file. Before version 10.34.0 and 11.4.0, the token is sent as an Authorization header to the registry chosen by the .npmrc file, potentially exposing the token and allowing the attacker to impersonate the user. The weakness is in credential storage (CWE‑201) and insecure credential handling (CWE‑522).
Affected Systems
pnpm 10.x versions earlier than 10.34.0 and pn than 11.4.0 are vulnerable. The vulnerability arises when a repository includes a .npmrc that sets the registry property but omits an explicit auth entry.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. Based on the most likely attack vector would involve a repository maintainer or collaborator placing a malicious .npmrc file in a project, configuring the registry to point to an attacker, which leads to the token being sent as an Authorization header to the remote registry.
OpenCVE Enrichment
Github GHSA