CVE-2025-69262

7.5HIGH

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings.

发布于: 1/7/2026更新于: 1/12/2026
在NVD查看在MITRE查看

描述

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

AI分析AI驱动

受影响产品

pnpmpnpm

参考资料