CVE-2025-69264

CVE-2025-69264 is a vulnerability in pnpm, a JavaScript package manager, affecting versions 10.0.0 through 10.25. It enables git-hosted dependencies to execute arbitrary code during the pnpm install process, bypassing the v10 security feature that disables dependency lifecycle scripts by default. Specifically, while pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still trigger prepare, prepublish, and prepack scripts during the fetch phase, resulting in remote code execution without user consent or approval. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and maps to CWE-693.

A remote attacker can exploit this vulnerability by publishing or controlling a malicious git repository that includes scripts in the prepare, prepublish, or prepack phases. Users running pnpm install on a package that transitively depends on this git-hosted dependency will automatically execute the scripts during the fetch phase, requiring only user initiation of the install command—no additional approval is needed. Exploitation leads to arbitrary code execution on the victim's system, compromising confidentiality, integrity, and availability with high impact.

The vulnerability was published on 2026-01-07 and fixed in pnpm version 10.26.0. Security practitioners should upgrade to 10.26.0 or later. Additional details are available in the GitHub security advisory at https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj and the fixing commit at https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5.