Arbitrary Code Execution in pnpm Package Manager by pnpm
CVE-2025-69264

8.8HIGH

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-69264?

The pnpm package manager has a vulnerability where versions 10.0.0 to 10.25 allow git-hosted dependencies to execute arbitrary code during the installation process. Despite having security features to disable dependency lifecycle scripts, command execution can occur through 'prepare', 'prepublish', and 'prepack' scripts without the user's consent, leading to potential unauthorized actions. This vulnerability has been addressed in version 10.26.0.

Affected Version(s)

pnpm > 10.0.0, < 10.26.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-379...

x_refsource_CONFIRM

https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 31, 2025

CVE-2025-69264 Data

JSON

Pnpm

What is CVE-2025-69264?

Affected Version(s)

References

CVSS V3.1

Timeline