VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-19yz-vtve-a7eu

Essentials
Severities (18)
References (8)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-19yz-vtve-a7eu
Aliases	CVE-2025-69264 GHSA-379q-355j-w6rj
Summary	pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during `pnpm install`, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks `postinstall` scripts via the `onlyBuiltDependencies` mechanism, git dependencies can still execute `prepare`, `prepublish`, and `prepack` scripts during the fetch phase, enabling remote code execution without user consent or approval.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-693	Protection Mechanism Failure
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69264.json
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2025-69264
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2025-69264
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2025-69264
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2025-69264
epss	0.00101	https://api.first.org/data/v1/epss?cve=CVE-2025-69264
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-379q-355j-w6rj
cvssv3.1	8.8	https://github.com/pnpm/pnpm
generic_textual	HIGH	https://github.com/pnpm/pnpm
cvssv3.1	8.8	https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
generic_textual	HIGH	https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
ssvc	Track*	https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
cvssv3.1	8.8	https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
cvssv3.1_qr	HIGH	https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
generic_textual	HIGH	https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
ssvc	Track*	https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2025-69264
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-69264

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69264.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-69264
		https://github.com/pnpm/pnpm
		https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
2427709		https://bugzilla.redhat.com/show_bug.cgi?id=2427709
CVE-2025-69264		https://nvd.nist.gov/vuln/detail/CVE-2025-69264
GHSA-379q-355j-w6rj		https://github.com/advisories/GHSA-379q-355j-w6rj
GHSA-379q-355j-w6rj		https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69264.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnpm/pnpm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:29Z/ Found at https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:29Z/ Found at https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-69264

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.26732
EPSS Score	0.00097
Published At	June 6, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:49:24.441923+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2025-69264.yml	38.6.0