SB20260427150 - Multiple vulnerabilities in pnpm

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Download of code without integrity check (CVE-ID: CVE-2025-69263)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to download of code without integrity check in the tarball resolver when processing HTTP tarball and git-hosted tarball dependencies during installation. A remote attacker can publish a package with a crafted HTTP or git tarball dependency to execute arbitrary code.

User interaction is required to install a package that has an HTTP or git tarball in its dependency tree.

2) Protection Mechanism Failure (CVE-ID: CVE-2025-69264)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to protection mechanism failure in git dependency lifecycle script handling when processing git-hosted dependencies during pnpm install. A remote attacker can supply a specially crafted git-hosted dependency to execute arbitrary code.

User interaction is required to run pnpm install on a project that includes the malicious dependency.

Remediation

Install update from vendor's website.

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
• https://github.com/advisories/GHSA-7vhp-vf5g-r2fw
• https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
• https://github.com/advisories/GHSA-379q-355j-w6rj