SB20260427151 - OS Command Injection in pnpm
Published: April 27, 2026
Security Bulletin ID
SB20260427151
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2025-69262)
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to command injection in the loadToken() function in pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts when processing environment variable substitution in .npmrc tokenHelper settings. A local privileged user can control an environment variable that supplies the helper path to execute arbitrary code.
Exploitation requires use of tokenHelper settings with environment variable substitution in .npmrc during pnpm operations.
Remediation
Install update from vendor's website.