CVE-2025-69262
Unknown Unknown - Not Provided
Command Injection in pnpm .npmrc Enables Remote Code Execution

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69262
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pnpm pnpm 10.27.0
pnpm pnpm From 6.25.0 (inc) to 10.26.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Command Injection issue in pnpm versions 6.25.0 through 10.26.2. It occurs when environment variable substitution is used in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could exploit this to execute arbitrary commands remotely (Remote Code Execution) in build environments.

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary code remotely within your build environment. This could lead to unauthorized access, data compromise, or disruption of your build processes.

Mitigation Strategies

Upgrade pnpm to version 10.27.0 or later, as this version contains the fix for the Command Injection vulnerability related to environment variable substitution in .npmrc configuration files with tokenHelper settings.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart