CVE-2025-69263 HIGH

CVE-2025-69263: pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

Vendor Pnpm
Product pnpm
Weakness CWE-494 · Download without integrity check
Published January 7, 2026
Last update June 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
June 30, 2026 Record updated