6.9 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): Active (A)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Active (A)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken. The repository does not provide a token-bearing auth line. It only sets registry= to a different registry URL. During normal pnpm metadata/install workflows, pnpm binds the user-origin unscoped credential to the repository-selected registry and sends it as an Authorization header. This vulnerability is fixed in 10.34.0 and 11.4.0.
References
-
https://github.com/pnpm/pnpm/security/advisories/GHSA-cjhr-43r9-cfmw x_refsource_CONFIRM
Affected products
- ==< 10.33.4
- ==>= 11.0.0, < 11.4.0
Matching in nixpkgs
pkgs.pnpm
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_8
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_9
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_11
Fast, disk space efficient package manager for JavaScript
pkgs.pnpm_10_29_2
Fast, disk space efficient package manager for JavaScript
pkgs.pnpmBuildHook
None
pkgs.pnpmConfigHook
None
pkgs.pnpm-fixup-state-db
None
Package maintainers
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@donovanglover Donovan Glover