CVE-2025-69262
Published: 07 January 2026
Summary
CVE-2025-69262 is a high-severity OS Command Injection (CWE-78) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates inputs to block special elements that would alter OS command execution.
Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Directly prevents execution of attacker-supplied code written into data memory regions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection (CWE-78) in pnpm config processing enables arbitrary Unix shell command execution for RCE.
NVD Description
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code…
more
Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
Deeper analysisAI
CVE-2025-69262 is a Command Injection vulnerability (CWE-78, CWE-94) in pnpm, a JavaScript package manager. It affects versions 6.25.0 through 10.26.2 and stems from unsafe environment variable substitution in .npmrc configuration files when tokenHelper settings are configured. This flaw allows injected commands during pnpm operations that process these configurations.
An attacker who can control environment variables executed during pnpm operations—such as in CI/CD pipelines or build environments—can exploit the vulnerability to achieve remote code execution (RCE). The CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects a local attack vector requiring high privileges and complexity, but with potential for high-impact confidentiality, integrity, and availability violations across a changed scope.
The issue is addressed in pnpm version 10.27.0. Security practitioners should upgrade to this version or later. Additional details are available in the pnpm release notes at https://github.com/pnpm/pnpm/releases/tag/v10.27.0 and the GitHub Security Advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx.
Details
- CWE(s)