CVE-2025-69264
Published: 07 January 2026
Summary
CVE-2025-69264 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Pnpm Pnpm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely flaw remediation through upgrading pnpm to the fixed version 10.26.0 or later.
Requires checking and validating user-installed software via package managers like pnpm to prevent execution of arbitrary code from untrusted git-hosted dependencies.
Deploys malicious code protection at entry points to scan and eradicate scripts triggered during pnpm fetch of git dependencies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary code execution via malicious git-hosted dependencies during pnpm install, facilitating supply chain compromise of software dependencies (T1195.001) and exploitation for client execution in the package manager (T1203).
NVD Description
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies…
more
mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.
Deeper analysisAI
CVE-2025-69264 is a vulnerability in pnpm, a JavaScript package manager, affecting versions 10.0.0 through 10.25. It enables git-hosted dependencies to execute arbitrary code during the pnpm install process, bypassing the v10 security feature that disables dependency lifecycle scripts by default. Specifically, while pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still trigger prepare, prepublish, and prepack scripts during the fetch phase, resulting in remote code execution without user consent or approval. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and maps to CWE-693.
A remote attacker can exploit this vulnerability by publishing or controlling a malicious git repository that includes scripts in the prepare, prepublish, or prepack phases. Users running pnpm install on a package that transitively depends on this git-hosted dependency will automatically execute the scripts during the fetch phase, requiring only user initiation of the install command—no additional approval is needed. Exploitation leads to arbitrary code execution on the victim's system, compromising confidentiality, integrity, and availability with high impact.
The vulnerability was published on 2026-01-07 and fixed in pnpm version 10.26.0. Security practitioners should upgrade to 10.26.0 or later. Additional details are available in the GitHub security advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj and the fixing commit at https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5.
Details
- CWE(s)