CVE-2025-69263

Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below

Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver different content during each installation, even with a committed lockfile. An attacker publishing a package with an HTTP tarball dependency can serve varying code to different users or CI/CD environments. Exploitation requires the victim to install a package containing an HTTP/git tarball in its dependency tree, and the lockfile offers no protection against this.

Recommendations Update to pnpm version 10.26.0 or later.