CVE-2025-69262

Опубликовано: 07 янв. 2026

Источник: nvd

CVSS3: 7.5

CVSS3: 7.8

EPSS Низкий

Описание

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

Ссылки

https://github.com/pnpm/pnpm/releases/tag/v10.27.0
Product
Release Notes
https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
Exploit
Vendor Advisory
https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*

Версия от 6.25.0 (включая) до 10.27.0 (исключая)

EPSS

Процентиль: 22%

0.0007

Низкий

7.5 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-78

Связанные уязвимости

CVE-2025-69262

CVSS3: 7.5

redhat

3 месяца назад

CVE-2025-69262

CVSS3: 7.5

debian

3 месяца назад

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Comm ...

GHSA-2phv-j68v-wwqx

CVSS3: 7.5

github

3 месяца назад

pnpm vulnerable to Command Injection via environment variable substitution

EPSS

Процентиль: 22%

0.0007

Низкий

7.5 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-78