CVE-2025-69264CRITICAL 9.8EPSS p52.1%

CVE-2025-69264CVE-2025-69264

Description

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.81% probability of exploitation · percentile 52.1% · 2026-06-19T12:03:05Z
Published2026-01-07
Last modified2026-01-12

Underlying weaknesses· 1

CWE-693

References

  1. https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
  2. https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

1

TypeTargetConfidenceTier
WeaknessProtection Mechanism Failurecwe-6930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69263
CVE
CVE-2025-10894
CVE
CVE-2025-63706
CVE
CVE-2025-62726
CVE
CVE-2026-10796
CVE
CVE-2025-65964
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.