CVE-2025-69263 – This CVE allows attackers to serve malicious co... (How to Fix)

📋 TL;DR

This CVE allows attackers to serve malicious code through HTTP tarball dependencies in pnpm packages. The lockfile fails to provide integrity verification, enabling different content to be delivered on each installation. Anyone using pnpm versions 10.26.2 or below with HTTP/git tarball dependencies is affected.

💻 Affected Systems

Products:

pnpm

Versions: All versions below 10.26.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using HTTP or git-hosted tarball dependencies. HTTPS dependencies are not affected.

📦 What is this software?

Pnpm by Pnpm

View all CVEs affecting Pnpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deliver targeted malicious code to specific users or CI/CD environments, potentially leading to supply chain attacks, data theft, or system compromise.

🟠

Likely Case

Malicious packages could be distributed through compromised dependencies, leading to unauthorized code execution in development or build environments.

🟢

If Mitigated

With proper version control and dependency auditing, impact is limited to potential build failures or non-critical package manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to install a malicious package with HTTP/git tarball dependencies. Attackers need control over the remote server serving tarballs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.26.0 and above

Vendor Advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw

Restart Required: No

Instructions:

1. Update pnpm globally: npm install -g pnpm@latest
2. Update pnpm in project: pnpm add -g pnpm@latest
3. Regenerate lockfile: pnpm install --force
4. Verify all dependencies use HTTPS or have integrity hashes

🔧 Temporary Workarounds

Enforce HTTPS dependencies

all

Configure pnpm to only use HTTPS dependencies and reject HTTP/git tarballs

pnpm config set strict-ssl true
pnpm config set registry https://registry.npmjs.org/

Audit and replace HTTP dependencies

all

Identify and replace all HTTP/git tarball dependencies with HTTPS versions

pnpm audit
pnpm why | grep -E 'http://|git://'

🧯 If You Can't Patch

Audit all dependencies and remove any using HTTP/git tarballs
Implement network controls to block HTTP package downloads from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check pnpm version and inspect lockfile for HTTP/git tarball dependencies without integrity hashes

Check Version:

pnpm --version

Verify Fix Applied:

Verify pnpm version is 10.26.0+ and check that lockfile contains integrity hashes for all dependencies

📡 Detection & Monitoring

Log Indicators:

HTTP package downloads from unusual sources
Lockfile changes without corresponding package.json updates

Network Indicators:

HTTP requests to package repositories instead of HTTPS
Unusual git protocol usage for package downloads

SIEM Query:

source=*log* (http:// OR git://) AND (pnpm OR npm) AND (install OR fetch)

📊 Metadata

CVE ID: CVE-2025-69263

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-494

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: January 7, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85 Patch
https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69263, you might also want to check these: