CVE-2025-69262 — Vulnetix

CVE-2025-69262 PUBLISHED CVSS 7.599999904632568 HIGH

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

EPSS 0.08% · 23.7th percentile

Risk Scores

CVSS v3.1

7.599999904632568

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.08%

23.7th percentile

Affected Products

Vendor	Product	Versions
pnpm	pnpm	>=6.25.0, < 10.27.0, 6.25.0
npm	pnpm	6.25.0

Timeline

Jan 7, 2026 CVE Published
Jan 7, 2026 PoC Published
Jan 7, 2026 PoC Published
Jan 8, 2026 CVE Updated
Jan 8, 2026 EPSS Score
Jan 11, 2026 EPSS Score
Jan 14, 2026 EPSS Score
Jan 17, 2026 EPSS Score
Jan 21, 2026 EPSS Score
Jan 24, 2026 EPSS Score
Jan 27, 2026 EPSS Score
Jan 30, 2026 EPSS Score

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx url
https://github.com/pnpm/pnpm/releases/tag/v10.27.0 url
https://nvd.nist.gov/vuln/detail/CVE-2025-69262 advisory
https://github.com/pnpm/pnpm package

Open in Interactive Console →