2427703 – (CVE-2025-69263) CVE-2025-69263 pnpm: pnpm Lockfile Integrity Bypass

Bug 2427703 (CVE-2025-69263) - CVE-2025-69263 pnpm: pnpm Lockfile Integrity Bypass

Summary: CVE-2025-69263 pnpm: pnpm Lockfile Integrity Bypass

Keywords:
Status:	NEW
Alias:	CVE-2025-69263
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2427716 2427717
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-07 22:02 UTC by OSIDB Bzimport
Modified:	2026-01-07 22:59 UTC (History)
CC List:	27 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-07 22:02:19 UTC

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
alizardo
asoldano
bbaranow
bmaxwell
brian.stansberry
darran.lofthouse
dosoudil
fjuma
istudens
ivassile
iweiss
jchui
jhe
ktsao
mosmerov
msvehla
nboldt
nwallace
pberan
pesilva
pjindal
pmackay
psrna
rstancel
smaestri
tom.jenkinson