CVE-2025-69264
Remote Code Execution via Git Dependencies in pnpm
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pnpm | pnpm | to 10.26.0 (exc) |
| pnpm | pnpm | 10.26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in pnpm versions 10.0.0 through 10.25 allows git-hosted dependencies to execute arbitrary code during the pnpm install process. Although pnpm v10 disables dependency lifecycle scripts by default, git dependencies can still run prepare, prepublish, and prepack scripts during the fetch phase. This enables remote code execution without the user's consent or approval. The issue is fixed in version 10.26.0.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on your system during the installation of git-hosted dependencies with pnpm. This means an attacker could run arbitrary code without your consent, potentially compromising system integrity, confidentiality, and availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade pnpm to version 10.26.0 or later, as this version contains the fix for the vulnerability that allows arbitrary code execution via git-hosted dependencies during installation.