CVE-2025-69262

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/releases/tag/v10.27.0	Product Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx	Exploit Vendor Advisory
https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*

History

No history.

Information

Published : 2026-01-07 23:15

Updated : 2026-01-12 21:50

NVD link : CVE-2025-69262

Mitre link : CVE-2025-69262

CVE.ORG link : CVE-2025-69262

JSON object : View

Products Affected

pnpm

pnpm

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-69262", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-01-07T23:15:50.330", "references": [{"url": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0."}], "lastModified": "2026-01-12T21:50:45.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*", "vulnerable": true, "matchCriteriaId": "CA432522-59B0-4DD7-AB6E-AE3D30B63EDC", "versionEndExcluding": "10.27.0", "versionStartIncluding": "6.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}