CVE-2025-69262

7.5HIGH

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings.

게시됨: 1/7/2026업데이트됨: 1/12/2026
NVD에서 보기MITRE에서 보기

설명

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

AI 분석AI 기반

영향받는 제품

pnpmpnpm

참조