CVE-2025-69262: pnpm vulnerable to Command Injection via environment variable substitution

January 7, 2026 (updated January 8, 2026)

A command injection vulnerability exists in pnpm when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.

References

github.com/advisories/GHSA-2phv-j68v-wwqx
github.com/pnpm/pnpm
github.com/pnpm/pnpm/releases/tag/v10.27.0
github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
nvd.nist.gov/vuln/detail/CVE-2025-69262

Code Behaviors & Features

Detect and mitigate CVE-2025-69262 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →