PT-2026-1940 · Pnpm · Pnpm

Published

2026-01-07

·

Updated

2026-06-30

·

CVE-2025-69263

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions pnpm versions 10.26.2 and below
Description pnpm, a package manager, stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes in versions 10.26.2 and below. This allows a remote server to deliver different content during each installation, even with a committed lockfile. An attacker publishing a package with an HTTP tarball dependency can serve varying code to different users or CI/CD environments. Exploitation requires the victim to install a package containing an HTTP/git tarball in its dependency tree, and the lockfile offers no protection against this.
Recommendations Update to pnpm version 10.26.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-69263
GHSA-7VHP-VF5G-R2FW

Affected Products

Pnpm