Home > Vulnerability Database > CVE-2025-69264

Mend.io Vulnerability Database

CVE-2025-69264

Good to know:

Date: January 7, 2026

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

Severity Score

8.8

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-69264

Url: https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

Url: https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5

Url: https://github.com/pnpm/pnpm

Url: https://www.mend.io/vulnerability-database/CVE-2025-69264

Severity Score

8.8

Weakness Type (CWE)

Protection Mechanism Failure

CWE-693

Top Fix

Upgrade Version

Upgrade to version pnpm - 10.26.0;https://github.com/pnpm/pnpm.git - v10.26.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-69264

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?