Description

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

INFO

Published Date :

2026-01-07T21:53:09.806Z

Last Modified :

2026-01-09T04:55:28.848Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-69264 vulnerability.

Vendors Products
Pnpm
  • Pnpm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-69264.

URL Resource
https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5 cve-icon cve-icon cve-icon
https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-69264 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-69264 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact