CVE

CVE-2025-69262

pnpm vulnerable to Command Injection via environment variable substitution

CVE

CVE-2025-69262

pnpm vulnerable to Command Injection via environment variable substitution

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.5

3.1

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69262.json, https://github.com/pnpm/pnpm/releases/tag/v10.27.0, https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx, https://nvd.nist.gov/vuln/detail/CVE-2025-69262

Severity

7.5

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.5

EPSS Probability

0.00109%

EPSS Percentile

0.29884%

Introduced Version

4e55758eeec46c6f56e183ebd0a615c491eead09

Fix Available

6bdba72ad31e4d6b79821405e09c6bdcc93894ee

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-69262

CVE-2025-69262

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.5

Basic Information

Fix Critical Vulnerabilities Instantly