VDB
CVE-2025-69263
CVE-2025-69263
PUBLISHED
CVSS 8.800000190734863 HIGH
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.
EPSS 0.02% · 3.5th percentile
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.02%
3.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pnpm | pnpm | < 10.26.0, 0 |
| npm | pnpm | 0 |
Timeline
- Jan 7, 2026 CVE Published
- Jan 7, 2026 PoC Published
- Jan 7, 2026 PoC Published
- Jan 8, 2026 CVE Updated
- Jan 8, 2026 EPSS Score
- Jan 11, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
- Jan 21, 2026 EPSS Score
- Jan 24, 2026 EPSS Score
- Jan 27, 2026 EPSS Score
- Jan 30, 2026 EPSS Score