cbcvebase.
CVE-2025-69264
published 2026-01-07

CVE-2025-69264: pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.02%
59.2th percentile
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
pnpmpnpm
pnpmpnpm>= 10.0.0 < 10.26.010.26.0
pnpmpnpm>= 10.0.0 < 10.26.010.26.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for execution of prepare, prepublish, or prepack lifecycle scripts during pnpm install fetch phase, particularly when installing git-hosted dependencies — these scripts can execute arbitrary code even when onlyBuiltDependencies is configured
  • Detect pnpm installs that reference git-hosted dependencies (e.g., git+https://, github:, gitlab: prefixes in package.json or pnpm-lock.yaml) as a risk indicator for this bypass technique
  • Researchers confirmed a proof-of-concept abusing a related git-dependency script execution technique to create a reverse shell; monitor for unexpected outbound network connections spawned from pnpm install child processes
  • ·The pnpm v10 onlyBuiltDependencies mechanism (intended to block postinstall scripts) does NOT protect against script execution for git-hosted dependencies; prepare, prepublish, and prepack scripts still run during the fetch phase regardless of this setting
  • ·The 'Dependency lifecycle scripts execution disabled by default' security feature introduced in pnpm v10 is bypassed by this vulnerability for git-hosted dependencies; do not rely on this control alone when git dependencies are present

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.