CVE-2025-69263 pnpm CVE debrief

Who should care

Developers and administrators using pnpm for package management should be aware of this vulnerability. Specifically, those who manage packages with HTTP tarball dependencies or git-hosted tarballs are at risk. CI/CD environments that install packages using pnpm are also potentially exposed. Given the high severity and potential for code manipulation, immediate attention is necessary to limit exposure.

Technical summary

The vulnerability in pnpm (CVE-2025-69263) stems from the lack of integrity hashes for HTTP tarball dependencies and git-hosted tarballs in the lockfile for versions 10.26.2 and below. This allows for potential code manipulation by remote servers during package installation. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high severity. The CWE associated with this vulnerability is CWE-494. The issue is addressed in pnpm version 10.26.0.

Defensive priority

High priority due to potential for code manipulation and high CVSS score.

Recommended defensive actions

• Update pnpm to version 10.26.0 or later to ensure integrity hashes are included for tarball dependencies.
• Review and update lockfiles for packages with HTTP tarball dependencies or git-hosted tarballs.
• Implement compensating controls such as monitoring package installations and verifying package integrity.
• Inventory packages and dependencies to identify potential exposure.
• Review official advisories and patches from pnpm.

Evidence notes

The primary evidence for this vulnerability comes from the NVD and CVE records. The vulnerability affects pnpm versions 10.26.2 and below. The issue is fixed in version 10.26.0. Defenders should verify the version of pnpm in use and review lockfiles for affected packages. The lack of integrity hashes in lockfiles for HTTP tarball dependencies and git-hosted tarballs is a critical detail.

Official resources