Skip to main content

Node.js CVE-2025-69264

HIGH
Protection Mechanism Failure (CWE-693)
2026-01-07 security-advisories@github.com GHSA-379q-355j-w6rj
Node.js RCE Pnpm Red Hat Suse
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 12, 2026 - 21:53 vuln.today
Public exploit code
Patch released
Jan 12, 2026 - 21:53 nvd
Patch available
CVE Published
Jan 07, 2026 - 22:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on pnpm (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.0.0.

DescriptionGitHub Advisory

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

AnalysisAI

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]

Technical ContextAI

Classified as CWE-693 (Protection Mechanism Failure). Affects Pnpm. pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fix

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 10.26.0.. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2025-69264 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy