Command Injection Vulnerability in pnpm Package Manager by pnpm
CVE-2025-69262

7.6HIGH

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-69262?

The pnpm package manager has a command injection vulnerability in versions 6.25.0 through 10.26.2. This issue arises when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker with the ability to control environment variables during pnpm operations can exploit this vulnerability to execute arbitrary code remotely, potentially compromising build environments. This issue has been addressed in version 10.27.0.

Affected Version(s)

pnpm >=6.25.0, < 10.27.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-2ph...

x_refsource_CONFIRM

https://github.com/pnpm/pnpm/releases/tag/v10.27.0

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 30, 2025

CVE-2025-69262 Data

JSON

Pnpm

What is CVE-2025-69262?

Affected Version(s)

References

CVSS V3.1

Timeline