CVE-2025-69264 – This vulnerability in pnpm package manager vers... (How to Fix)

📋 TL;DR

This vulnerability in pnpm package manager versions 10.0.0 through 10.25 allows git-hosted dependencies to execute arbitrary code during installation. It bypasses pnpm v10's security feature that disables dependency lifecycle scripts by default, enabling remote code execution without user consent. Anyone using affected pnpm versions with git dependencies is vulnerable.

💻 Affected Systems

Products:

pnpm

Versions: 10.0.0 through 10.25

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using git dependencies (git://, git+ssh://, git+https:// URLs). Regular npm registry packages are not affected.

📦 What is this software?

Pnpm by Pnpm

View all CVEs affecting Pnpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution during package installation, potentially leading to data theft, ransomware deployment, or persistent backdoors.

🟠

Likely Case

Malicious packages exploiting this vulnerability could steal credentials, install cryptocurrency miners, or exfiltrate sensitive project data during CI/CD pipelines.

🟢

If Mitigated

With proper network segmentation and least privilege, impact could be limited to the build environment without affecting production systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only installing a malicious git dependency, making it trivial for attackers who control git repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.26.0

Vendor Advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

Restart Required: No

Instructions:

1. Update pnpm globally: npm install -g pnpm@10.26.0
2. Update pnpm in project: pnpm add -g pnpm@10.26.0
3. Verify update with: pnpm --version

🔧 Temporary Workarounds

Avoid git dependencies

all

Temporarily avoid using git-hosted dependencies until patched

Replace git:// URLs with published npm package versions

Use onlyBuiltDependencies

all

Explicitly configure onlyBuiltDependencies to block all lifecycle scripts

Add to .npmrc: only-built-dependencies=*

🧯 If You Can't Patch

Audit all git dependencies for suspicious repositories and maintainers
Implement network restrictions to prevent outbound connections from build environments

🔍 How to Verify

Check if Vulnerable:

Check pnpm version: pnpm --version. If version is between 10.0.0 and 10.25 inclusive, you are vulnerable if using git dependencies.

Check Version:

pnpm --version

Verify Fix Applied:

Verify pnpm version is 10.26.0 or higher: pnpm --version

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution during pnpm install
Network connections from pnpm to unknown git repositories
prepare/prepublish/prepack script execution in build logs

Network Indicators:

Outbound connections to suspicious git repositories during package installation

SIEM Query:

process.name:pnpm AND (process.args:*install* OR process.args:*add*) AND process.args:*git*

📊 Metadata

CVE ID: CVE-2025-69264

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-693

EPSS Score: 0.24% exploit probability (47.2th percentile)

Published: January 7, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5 Patch
https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69264, you might also want to check these: