CVE-2025-69262

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pnpm versions 6.25.0 through 10.26.2

Description pnpm is a package manager susceptible to a Command Injection issue when utilizing environment variable substitution within .npmrc configuration files, specifically with tokenHelper settings enabled. An attacker capable of controlling environment variables during pnpm operations could potentially achieve Remote Code Execution (RCE) in build environments.

Recommendations Update to pnpm version 10.27.0 or later.

Exploit

Fix

RCE

OS Command Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-94

Related Identifiers

CVE-2025-69262

GHSA-2PHV-J68V-WWQX

Affected Products

Pnpm

CVE-2025-69262

Weakness Enumeration

Related Identifiers

Affected Products

References · 10