{"id":"CVE-2025-69262","summary":"pnpm vulnerable to Command Injection via environment variable substitution","details":"pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.","aliases":["GHSA-2phv-j68v-wwqx"],"modified":"2026-04-10T05:35:18.672551Z","published":"2026-01-07T22:30:07.428Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69262.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-78","CWE-94"]},"references":[{"type":"WEB","url":"https://github.com/pnpm/pnpm/releases/tag/v10.27.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69262.json"},{"type":"ADVISORY","url":"https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69262"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pnpm/pnpm","events":[{"introduced":"4e55758eeec46c6f56e183ebd0a615c491eead09"},{"fixed":"6bdba72ad31e4d6b79821405e09c6bdcc93894ee"}]}],"versions":["v1","v10.0.0","v10.0.0-alpha.0","v10.0.0-alpha.1","v10.0.0-alpha.2","v10.0.0-alpha.3","v10.0.0-alpha.4","v10.0.0-beta.0","v10.0.0-beta.1","v10.0.0-beta.2","v10.0.0-beta.3","v10.0.0-rc.0","v10.0.0-rc.1","v10.0.0-rc.2","v10.0.0-rc.3","v10.1.0","v10.10.0","v10.11.0","v10.12.1","v10.12.2","v10.12.3","v10.12.4","v10.13.0","v10.13.1","v10.14.0","v10.14.0-0","v10.15.0","v10.15.1","v10.16.0","v10.16.1","v10.17.0","v10.17.1","v10.18.0","v10.18.1","v10.18.2","v10.18.3","v10.19.0","v10.19.1-oidc-test.0","v10.19.1-oidc-test.1","v10.19.1-oidc-test.2","v10.19.1-oidc-test.3","v10.2.0","v10.2.1","v10.20.0","v10.21.0","v10.22.0","v10.23.0","v10.24.0","v10.25.0","v10.26.0","v10.26.1","v10.26.2","v10.3.0","v10.4.0","v10.4.1","v10.5.0","v10.5.1","v10.5.2","v10.6.0","v10.6.1","v10.6.2","v10.7.0","v10.8.0","v10.8.1","v10.9.0","v6.25.0","v6.25.1","v6.26.0","v6.26.1","v6.27.0","v7.0.0","v7.0.0-alpha.0","v7.0.0-alpha.1","v7.0.0-alpha.2","v7.0.0-alpha.3","v7.0.0-alpha.4","v7.0.0-beta.0","v7.0.0-beta.1","v7.0.0-beta.2","v7.0.0-rc.0","v7.0.0-rc.1","v7.0.0-rc.2","v7.0.0-rc.3","v7.0.0-rc.4","v7.0.0-rc.5","v7.0.0-rc.6","v7.0.0-rc.7","v7.0.0-rc.8","v7.0.0-rc.9","v7.0.1","v7.1.0","v7.1.1","v7.1.2","v7.1.3","v7.1.4","v7.1.5","v7.1.6","v7.1.7","v7.1.8","v7.1.9","v7.10.0","v7.10.0-0","v7.10.0-1","v7.11.0","v7.11.1-0","v7.12.0","v7.12.0-0","v7.12.1","v7.12.2","v7.13.0","v7.13.1","v7.13.2","v7.13.3","v7.13.4","v7.13.5","v7.13.6","v7.14.0","v7.14.1","v7.14.2","v7.15.0","v7.16.0","v7.16.1","v7.17.0","v7.17.1","v7.18.0","v7.18.1","v7.18.2","v7.19.0","v7.2.0","v7.2.1","v7.20.0","v7.21.0","v7.22.0","v7.23.0","v7.24.0","v7.24.1","v7.24.2","v7.24.3","v7.25.0","v7.25.1","v7.26.0","v7.26.1","v7.26.2","v7.26.3","v7.27.0","v7.27.0-0","v7.27.1","v7.28.0","v7.28.0-0","v7.29.0","v7.29.0-0","v7.29.0-1","v7.29.0-2","v7.29.1","v7.29.2","v7.29.3","v7.3.0","v7.30.0","v7.30.0-0","v7.4.0","v7.4.0-0","v7.4.0-1","v7.4.0-2","v7.4.0-3","v7.4.0-4","v7.4.1","v7.5.0","v7.5.1","v7.5.2","v7.6.0","v7.6.0-0","v7.7.0","v7.7.0-0","v7.7.0-1","v7.7.1","v7.8.0","v7.9.0","v7.9.0-0","v7.9.1","v7.9.2","v7.9.3","v7.9.4","v7.9.4-0","v7.9.5","v8.0.0","v8.0.0-beta.1","v8.0.0-rc.0","v8.0.0-rc.1","v8.1.0","v8.1.1","v8.10.0","v8.10.0-0","v8.10.1","v8.10.2","v8.10.3","v8.10.4","v8.10.5","v8.11.0","v8.12.0","v8.12.1","v8.13.1","v8.14.0","v8.2.0","v8.3.0","v8.3.0-0","v8.3.1","v8.4.0","v8.5.0","v8.5.1","v8.6.0","v8.6.1","v8.6.10","v8.6.11","v8.6.12","v8.6.2","v8.6.3","v8.6.4","v8.6.5","v8.6.6","v8.6.7","v8.6.8","v8.6.9","v8.7.0","v8.7.0-0","v8.7.1","v8.7.2","v8.7.3","v8.7.4","v8.7.5","v8.7.6","v8.8.0","v8.9.0","v8.9.0-0","v8.9.0-1","v8.9.1","v8.9.2","v9.0.0","v9.0.0-alpha.0","v9.0.0-alpha.1","v9.0.0-alpha.10","v9.0.0-alpha.2","v9.0.0-alpha.3","v9.0.0-alpha.4","v9.0.0-alpha.5","v9.0.0-alpha.6","v9.0.0-alpha.7","v9.0.0-alpha.8","v9.0.0-alpha.9","v9.0.0-beta.0","v9.0.0-beta.1","v9.0.0-beta.2","v9.0.0-beta.3","v9.0.0-rc.0","v9.0.0-rc.1","v9.0.0-rc.2","v9.0.1","v9.0.2","v9.0.3","v9.0.4","v9.0.5","v9.0.6","v9.1.0","v9.1.0-0","v9.1.1","v9.1.2","v9.1.3","v9.1.4","v9.10.0","v9.11.0","v9.12.0","v9.12.1","v9.12.2","v9.12.3","v9.2.0","v9.3.0","v9.4.0","v9.5.0","v9.5.0-beta.0","v9.5.0-beta.1","v9.5.0-beta.2","v9.5.0-beta.3","v9.6.0","v9.7.0","v9.7.1","v9.8.0","v9.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69262.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}