Cyber Resilience

CVE-2025-69264

HighPublic PoCUpdated

Published: 07 January 2026

Published
07 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0081 52.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69264 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Pnpm Pnpm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 47.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69264 is a vulnerability in pnpm, a JavaScript package manager, affecting versions 10.0.0 through 10.25. It enables git-hosted dependencies to execute arbitrary code during the pnpm install process, bypassing the v10 security feature that disables dependency lifecycle scripts by default. Specifically, while pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still trigger prepare, prepublish, and prepack scripts during the fetch phase, resulting in remote code execution without user consent or approval. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and maps to CWE-693.

A remote attacker can exploit this vulnerability by publishing or controlling a malicious git repository that includes scripts in the prepare, prepublish, or prepack phases. Users running pnpm install on a package that transitively depends on this git-hosted dependency will automatically execute the scripts during the fetch phase, requiring only user initiation of the install command—no additional approval is needed. Exploitation leads to arbitrary code execution on the victim's system, compromising confidentiality, integrity, and availability with high impact.

The vulnerability was published on 2026-01-07 and fixed in pnpm version 10.26.0. Security practitioners should upgrade to 10.26.0 or later. Additional details are available in the GitHub security advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj and the fixing commit at https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies…

more

mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability enables arbitrary code execution via malicious git-hosted dependencies during pnpm install, facilitating supply chain compromise of software dependencies (T1195.001) and exploitation for client execution in the package manager (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69263Same product: Pnpm Pnpm
CVE-2025-69262Same product: Pnpm Pnpm
CVE-2026-21510Shared CWE-693
CVE-2026-21513Shared CWE-693
CVE-2026-8969Shared CWE-693
CVE-2026-6763Shared CWE-693
CVE-2026-8962Shared CWE-693
CVE-2026-8018Shared CWE-693
CVE-2026-8945Shared CWE-693
CVE-2026-4447Shared CWE-693

Affected Assets

pnpm
pnpm
10.0.0 — 10.26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly addresses the vulnerability by requiring timely flaw remediation through upgrading pnpm to the fixed version 10.26.0 or later.

prevent

Requires checking and validating user-installed software via package managers like pnpm to prevent execution of arbitrary code from untrusted git-hosted dependencies.

detectrespond

Deploys malicious code protection at entry points to scan and eradicate scripts triggered during pnpm fetch of git dependencies.

References