2427709 – (CVE-2025-69264) CVE-2025-69264 pnpm: pnpm code execution

Bug 2427709 (CVE-2025-69264) - CVE-2025-69264 pnpm: pnpm code execution

Summary: CVE-2025-69264 pnpm: pnpm code execution

Keywords:
Status:	NEW
Alias:	CVE-2025-69264
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2427714 2427715
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-07 22:02 UTC by OSIDB Bzimport
Modified:	2026-01-07 22:56 UTC (History)
CC List:	27 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-07 22:02:43 UTC

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
alizardo
asoldano
bbaranow
bmaxwell
brian.stansberry
darran.lofthouse
dosoudil
fjuma
istudens
ivassile
iweiss
jchui
jhe
ktsao
mosmerov
msvehla
nboldt
nwallace
pberan
pesilva
pjindal
pmackay
psrna
rstancel
smaestri
tom.jenkinson