pnpm v10+ Bypass “Dependency lifecycle scripts execution disabled by default”

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

AI Analysis

Remote code execution vulnerability in pnpm due to bypass of dependency lifecycle scripts execution disabled by default

Basic Information

ID CVE-2025-69264

Source GitHub_M

Published Jan 7, 2026 at 21:53

Affected Product

Vendor pnpm

Product pnpm

Version > 10.0.0, < 10.26.0

Affected Versions pnpm pnpm > 10.0.0, < 10.26.0

CWE Classification

CWE-693

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor pnpm

Product pnpm

Version 10.0.0-10.25

References

{
    "lastseen": "",
    "description": "pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature \"Dependency lifecycle scripts execution disabled by default\". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.",
    "published": "2026-01-07T21:53:09.806Z",
    "modified": "2026-01-07T21:53:09.806Z",
    "type": "cve",
    "title": "pnpm v10+ Bypass \"Dependency lifecycle scripts execution disabled by default\"",
    "source": "GitHub_M",
    "references": "https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj\nhttps://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5",
    "id": "CVE-2025-69264",
    "bulletinFamily": "",
    "cwe": [
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "pnpm pnpm > 10.0.0, < 10.26.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pnpm",
    "version": "> 10.0.0, < 10.26.0",
    "vendor": "pnpm",
    "ai_description": "Remote code execution vulnerability in pnpm due to bypass of dependency lifecycle scripts execution disabled by default",
    "ai_severity": "High",
    "ai_vendor": "pnpm",
    "ai_product": "pnpm",
    "ai_version": "10.0.0-10.25",
    "ai_score": 8.8
}

pnpm v10+ Bypass “Dependency lifecycle scripts execution disabled by default”_CVE-2025-69264