AIKIDO-2026-11056
pnpm is vulnerable to Exposure of Sensitive Information
65
Medium Risk
This Affects:
pnpmTL;DR
pnpm maps unscoped authentication credentials such as _authToken, _auth, username/_password, and tokenHelper from one configuration source to whichever registry another source selects. A repository-local .npmrc can redirect the default registry, causing pnpm to send the user's stored credentials in an Authorization header to an attacker-controlled host during install, view, and metadata operations. Tokens issued for the user's intended registry can be exfiltrated to a different registry without explicit URL scoping. The fix pins unscoped per-registry settings to the registry declared in the same config source at load time and emits deprecation warnings for each rescoped setting.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pnpm is vulnerable to Exposure of Sensitive Information in versions 0.0.1 - 10.33.4 and 11.0.0 - 11.3.0.
How to fix this
Upgrade the pnpm library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant