OS Command Injection in pnpm - CVE-2025-69262
Published: April 27, 2026
Vulnerability identifier: #VU128179
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-69262
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: pnpm
Affected software:
pnpm
pnpm
Detailed vulnerability description
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to command injection in the loadToken() function in pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts when processing environment variable substitution in .npmrc tokenHelper settings. A local privileged user can control an environment variable that supplies the helper path to execute arbitrary code.
Exploitation requires use of tokenHelper settings with environment variable substitution in .npmrc during pnpm operations.
How to mitigate CVE-2025-69262
Install security update from vendor's website.