CVE-2025-69262
Published: 07 January 2026
Summary
CVE-2025-69262 is a high-severity OS Command Injection (CWE-78) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69262 is a Command Injection vulnerability (CWE-78, CWE-94) in pnpm, a JavaScript package manager. It affects versions 6.25.0 through 10.26.2 and stems from unsafe environment variable substitution in .npmrc configuration files when tokenHelper settings are configured. This flaw allows injected commands during pnpm operations that process these configurations.
An attacker who can control environment variables executed during pnpm operations—such as in CI/CD pipelines or build environments—can exploit the vulnerability to achieve remote code execution (RCE). The CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects a local attack vector requiring high privileges and complexity, but with potential for high-impact confidentiality, integrity, and availability violations across a changed scope.
The issue is addressed in pnpm version 10.27.0. Security practitioners should upgrade to this version or later. Additional details are available in the pnpm release notes at https://github.com/pnpm/pnpm/releases/tag/v10.27.0 and the GitHub Security Advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1159
Vulnerability details
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code…
more
Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection (CWE-78) in pnpm config processing enables arbitrary Unix shell command execution for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the command injection flaw in vulnerable pnpm versions through patching to 10.27.0 or later.
Vulnerability scanning identifies the presence of this specific command injection vulnerability in pnpm installations within build environments, enabling timely remediation.
Validates environment variables used in .npmrc tokenHelper substitution to block malicious command injection during pnpm operations.