CVE-2025-69263

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H                                    

Vulnerability Description

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.

Vulnerability Details

Published Date

January 07, 2026

Last Modified

January 12, 2026

CWE ID

CWE-494

Source

NVD

Vendor

pnpm

Product

pnpm

External References

https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw

CVE-2025-69263

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment