CVE-2025-69264

HIGH

Pnpm < 10.26.0 - Remote Code Execution

Title source: rule

Description

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

References (2)

[Patch] https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

Scores

CVSS v3 8.8

EPSS 0.0011

EPSS Percentile 29.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-693

Status published

Affected Products (2)

pnpm/pnpm < 10.26.0

npm/pnpm < 10.26.0npm

Timeline

Published Jan 07, 2026

Tracked Since Feb 18, 2026