Cyber Resilience

CVE-2025-69262

HighPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0004 12.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69262 is a high-severity OS Command Injection (CWE-78) vulnerability in Pnpm Pnpm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69262 is a Command Injection vulnerability (CWE-78, CWE-94) in pnpm, a JavaScript package manager. It affects versions 6.25.0 through 10.26.2 and stems from unsafe environment variable substitution in .npmrc configuration files when tokenHelper settings are configured. This flaw allows injected commands during pnpm operations that process these configurations.

An attacker who can control environment variables executed during pnpm operations—such as in CI/CD pipelines or build environments—can exploit the vulnerability to achieve remote code execution (RCE). The CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects a local attack vector requiring high privileges and complexity, but with potential for high-impact confidentiality, integrity, and availability violations across a changed scope.

The issue is addressed in pnpm version 10.27.0. Security practitioners should upgrade to this version or later. Additional details are available in the pnpm release notes at https://github.com/pnpm/pnpm/releases/tag/v10.27.0 and the GitHub Security Advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx.

EU & UK References

Vulnerability details

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code…

more

Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct OS command injection (CWE-78) in pnpm config processing enables arbitrary Unix shell command execution for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69264Same product: Pnpm Pnpm
CVE-2025-69263Same product: Pnpm Pnpm
CVE-2026-45152Shared CWE-78
CVE-2025-22495Shared CWE-78
CVE-2026-48695Shared CWE-78
CVE-2026-44466Shared CWE-78
CVE-2026-42290Shared CWE-78
CVE-2026-44724Shared CWE-78
CVE-2024-40891Shared CWE-78
CVE-2026-26280Shared CWE-78

Affected Assets

pnpm
pnpm
6.25.0 — 10.27.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the command injection flaw in vulnerable pnpm versions through patching to 10.27.0 or later.

detect

Vulnerability scanning identifies the presence of this specific command injection vulnerability in pnpm installations within build environments, enabling timely remediation.

prevent

Validates environment variables used in .npmrc tokenHelper substitution to block malicious command injection during pnpm operations.

References