CVE-2025-69263

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69263

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69263.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69263

Aliases

GHSA-7vhp-vf5g-r2fw

Downstream

MINI-gp4p-jc2h-52v6

Published

2026-01-07T21:31:07.567Z

Modified

2026-04-10T05:35:18.559007Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

Details

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69263.json",
    "cwe_ids": [
        "CWE-494"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/pnpm/pnpm

Affected ranges

Type: GIT
Repo: https://github.com/pnpm/pnpm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

244e33b4e963b257952dadf192d829bfec858fb9

Affected versions

0.*

0.19.0

@pnpm/headless@0.*

@pnpm/headless@0.6.2

@pnpm/utils@0.*

@pnpm/utils@0.6.1

config/1.*

config/1.0.0

config/1.1.0

config/1.2.0

config/1.2.1

config/1.2.2

config/1.2.3

config/1.2.4

config/1.2.5

config/1.2.6

config/1.2.7

config/1.3.0

config/1.3.1

config/2.*

config/2.0.0

config/2.0.1

config/2.1.0

config/2.1.1

config/2.2.0

core-loggers/0.*

core-loggers/0.0.0

default-fetcher/2.*

default-fetcher/2.0.1

default-fetcher/2.0.2

default-reporter/0.*

default-reporter/0.17.0

default-resolver/2.*

default-resolver/2.0.2

default-resolver/2.0.3

default-resolver/2.0.4

headless/0.*

headless/0.4.0

headless/0.5.0

headless/0.5.1

headless/0.5.2

headless/0.5.3

headless/0.5.4

headless/0.6.0

headless/0.6.1

headless/0.6.3

headless/0.6.4

headless/0.6.5

headless/0.6.7

headless@0.*

headless@0.6.6

package-requester/4.*

package-requester/4.1.0

package-requester/4.1.2

package-requester/4.1.3

package-requester/4.1.4

package-requester@4.*

package-requester@4.1.1

package-store/0.*

package-store/0.23.2

package-store/0.23.3

package-store/0.23.4

pnpm-default-reporter/0.*

pnpm-default-reporter/0.17.1

pnpm-default-reporter/0.17.2

pnpm-default-reporter/0.17.3

pnpm-default-reporter/0.17.4

pnpm-default-reporter/0.17.5

pnpm-default-reporter/0.17.6

pnpm-default-reporter/0.17.7

pnpm-default-reporter/0.17.8

pnpm-default-reporter/0.18.0

pnpm-default-reporter/0.19.0

pnpm-default-reporter/0.19.1

pnpm-default-reporter/0.19.2

pnpm-default-reporter/0.20.0

pnpm-default-reporter/0.20.2

pnpm-default-reporter/0.20.3

pnpm-default-reporter/0.20.4

pnpm-default-reporter/0.20.5

pnpm-default-reporter@0.*

pnpm-default-reporter@0.20.1

server/0.*

server/0.14.1

server/0.14.2

server/0.14.3

supi/0.*

supi/0.19.1

supi/0.19.2

supi/0.19.3

supi/0.20.0

supi/0.20.1

supi/0.20.2

supi/0.20.3

supi/0.20.4

supi/0.20.5

supi/0.20.6

supi/0.20.7

supi/0.20.8

supi/0.21.0

supi/0.21.1

supi/0.22.0

supi/0.22.1

supi/0.22.2

supi/0.23.0

supi/0.23.1

supi/0.24.0

supi/0.24.10

supi/0.24.2

supi/0.24.3

supi/0.24.4

supi/0.24.5

supi/0.24.6

supi/0.24.7

supi/0.24.8

supi@0.*

supi@0.24.1

supi@0.24.9

utils/0.*

utils/0.1.0

utils/0.2.0

utils/0.2.1

utils/0.3.0

utils/0.4.0

utils/0.5.0

utils/0.5.1

utils/0.6.0

utils/0.6.2

utils/0.6.3

utils/0.6.4

utils/0.8.0

utils@0.*

utils@0.7.0

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.2.0

v0.2.1

v0.2.2

v0.20.0

v0.21.0

v0.22.1

v0.23.0

v0.24.0

v0.25.0

v0.26.1

v0.26.2

v0.27.0

v0.28.0

v0.29.0

v0.29.1

v0.3.0

v0.30.0

v0.31.0

v0.31.1

v0.31.2

v0.32.0

v0.32.1

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.37.0

v0.38.0

v0.38.1

v0.38.2

v0.39.0

v0.39.1

v0.4.0

v0.4.1

v0.40.0

v0.41.0

v0.42.0

v0.42.1

v0.42.2

v0.42.3

v0.42.4

v0.42.5

v0.42.6

v0.43.0

v0.43.1

v0.43.2

v0.44.0

v0.44.1

v0.45.0

v0.45.1

v0.46.0

v0.47.0

v0.47.1

v0.48.0

v0.48.1

v0.49.0

v0.49.1

v0.49.2

v0.5.0

v0.50.0

v0.51.0

v0.51.1

v0.51.2

v0.51.3

v0.52.0

v0.52.1

v0.53.0

v0.54.0

v0.54.1

v0.55.0

v0.55.1

v0.55.2

v0.55.3

v0.56.0

v0.57.0

v0.57.1

v0.57.2

v0.58.0

v0.59.0

v0.6.1

v0.60.0

v0.60.1

v0.60.2

v0.60.3

v0.61.0

v0.62.0

v0.62.1

v0.62.2

v0.63.0

v0.64.0

v0.64.1

v0.64.2

v0.64.3

v0.64.4

v0.64.5

v0.64.6

v0.64.7

v0.64.8

v0.65.0

v0.65.1

v0.65.2

v0.65.3

v0.65.4

v0.65.5

v0.65.6

v0.65.7

v0.66.0

v0.66.1

v0.66.2

v0.66.3

v0.66.4

v0.67.0

v0.67.1

v0.67.2

v0.67.3

v0.68.0

v0.69.0

v0.69.0-beta.1

v0.69.0-beta.2

v0.69.0-beta.3

v0.69.0-beta.4

v0.69.1

v0.69.2

v0.69.3

v0.69.4

v0.7.0

v0.70.0

v0.70.0-beta.1

v0.70.0-beta.2

v0.70.1

v0.71.0

v0.71.1

v0.72.0

v0.73.0

v0.73.1

v0.73.2

v0.73.3

v0.74.0

v0.74.1

v0.74.2

v0.74.3

v0.74.4

v0.75.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

Other

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.10.0

v1.10.1

v1.10.2

v1.11.0

v1.11.1

v1.12.0

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.10

v1.14.2

v1.14.3

v1.14.4

v1.14.5

v1.14.6

v1.14.7

v1.14.8

v1.14.9

v1.15.0

v1.16.0

v1.16.2

v1.16.3

v1.17.0

v1.17.1

v1.17.2

v1.18.0

v1.18.1

v1.19.0

v1.19.1

v1.19.2

v1.19.3

v1.19.4

v1.19.5

v1.19.6

v1.19.7

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.23.1

v1.23.2

v1.24.0

v1.24.0-2

v1.24.0-3

v1.24.1

v1.24.2

v1.24.3

v1.25.0

v1.25.1

v1.26.0

v1.27.0

v1.27.0-0

v1.27.0-1

v1.28.0

v1.29.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.30.0

v1.30.1

v1.30.2

v1.31.0

v1.31.1

v1.31.2

v1.31.3

v1.31.4

v1.31.5

v1.31.6

v1.32.0

v1.32.1

v1.33.0

v1.33.1

v1.33.2

v1.34.0

v1.35.0

v1.35.1

v1.35.10

v1.35.2

v1.35.3

v1.35.4

v1.35.5

v1.35.6

v1.35.7

v1.35.8

v1.35.9

v1.36.0

v1.36.1

v1.36.2

v1.37.0

v1.37.1

v1.37.2

v1.37.3

v1.37.5

v1.38.0

v1.38.2

v1.38.3

v1.39.0

v1.39.1

v1.4.0

v1.40.0

v1.40.1

v1.40.2

v1.41.0

v1.41.1

v1.41.2

v1.41.3

v1.42.0

v1.43.0

v1.43.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.8.2

v1.9.0

v10.*

v10.0.0

v10.0.0-alpha.0

v10.0.0-alpha.1

v10.0.0-alpha.2

v10.0.0-alpha.3

v10.0.0-alpha.4

v10.0.0-beta.0

v10.0.0-beta.1

v10.0.0-beta.2

v10.0.0-beta.3

v10.0.0-rc.0

v10.0.0-rc.1

v10.0.0-rc.2

v10.0.0-rc.3

v10.1.0

v10.10.0

v10.11.0

v10.12.1

v10.12.2

v10.12.3

v10.12.4

v10.13.0

v10.13.1

v10.14.0

v10.14.0-0

v10.15.0

v10.15.1

v10.16.0

v10.16.1

v10.17.0

v10.17.1

v10.18.0

v10.18.1

v10.18.2

v10.18.3

v10.19.0

v10.19.1-oidc-test.0

v10.19.1-oidc-test.1

v10.19.1-oidc-test.2

v10.19.1-oidc-test.3

v10.2.0

v10.2.1

v10.20.0

v10.21.0

v10.22.0

v10.23.0

v10.24.0

v10.25.0

v10.3.0

v10.4.0

v10.4.1

v10.5.0

v10.5.1

v10.5.2

v10.6.0

v10.6.1

v10.6.2

v10.7.0

v10.8.0

v10.8.1

v10.9.0

v2.*

v2.0.0

v2.0.0-rc.0

v2.1.0

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.11.0

v2.12.0

v2.12.0-0

v2.12.0-1

v2.12.1

v2.13.0

v2.13.1

v2.13.3

v2.14.0

v2.14.0-0

v2.14.0-1

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.15.0

v2.15.1

v2.15.2

v2.16.0

v2.16.1

v2.17.0

v2.17.0-0

v2.17.0-1

v2.17.0-2

v2.17.0-3

v2.17.0-4

v2.17.0-5

v2.17.1

v2.17.2

v2.17.3

v2.17.4

v2.17.5

v2.17.6

v2.17.7

v2.17.8

v2.18.0

v2.18.2

v2.19.0

v2.19.0-0

v2.19.0-1

v2.19.0-2

v2.19.1

v2.19.2

v2.19.3

v2.19.4

v2.2.0

v2.2.1

v2.2.2

v2.20.0

v2.20.1

v2.21.0

v2.21.1

v2.22.0

v2.22.0-0

v2.23.0

v2.23.0-0

v2.23.1

v2.24.0

v2.24.0-0

v2.24.1

v2.24.2

v2.25.0

v2.25.0-0

v2.25.0-1

v2.25.1

v2.25.2

v2.25.3

v2.25.4

v2.3.0

v2.3.1

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.0.0-alpha.0

v3.0.0-alpha.1

v3.0.0-alpha.2

v3.0.0-alpha.3

v3.0.0-beta.0

v3.0.0-beta.2

v3.0.1

v3.1.0

v3.1.0-0

v3.1.0-1

v3.1.1

v3.2.0

v3.2.0-0

v3.2.0-1

v3.3.0

v3.3.0-0

v3.3.0-1

v3.3.0-2

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.4.0

v3.4.0-0

v3.4.1

v3.5.0

v3.5.0-0

v3.5.0-1

v3.5.0-2

v3.5.0-3

v3.5.1

v3.5.2

v3.5.3

v3.5.5

v3.5.6

v3.5.7

v3.6.0

v3.6.0-0

v3.6.1

v3.6.2

v3.7.0

v3.7.0-0

v3.7.0-1

v3.7.0-2

v3.7.0-3

v3.7.0-4

v3.7.0-5

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.8.0

v3.8.0-0

v3.8.0-1

v3.8.1

v4.*

v4.0.0

v4.0.0-0

v4.0.0-1

v4.0.0-2

v4.0.0-3

v4.0.0-4

v4.0.0-5

v4.0.0-6

v4.0.0-7

v4.0.0-8

v4.0.1

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.10.0

v4.10.0-0

v4.10.0-1

v4.10.0-2

v4.10.0-3

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.11.4

v4.12.0

v4.12.0-0

v4.12.0-1

v4.12.1

v4.12.2

v4.12.3

v4.12.4

v4.12.5

v4.13.0

v4.13.0-0

v4.13.0-1

v4.14.0

v4.14.0-0

v4.14.0-1

v4.14.0-2

v4.14.1

v4.2.0

v4.2.0-0

v4.2.2

v4.2.3

v4.3.0

v4.3.0-0

v4.3.1

v4.4.0

v4.4.0-0

v4.4.0-1

v4.4.0-2

v4.5.0

v4.5.0-0

v4.5.0-1

v4.5.0-6

v4.6.0

v4.6.0-0

v4.6.0-1

v4.7.0

v4.7.0-1

v4.7.1

v4.7.2

v4.8.0

v4.8.0-0

v4.8.0-1

v4.9.0

v4.9.0-0

v4.9.0-1

v4.9.0-2

v4.9.0-3

v4.9.0-4

v4.9.1

v4.9.2

v4.9.3

v5.*

v5.0.0

v5.0.0-0

v5.0.0-1

v5.0.0-alpha.2

v5.0.0-alpha.3

v5.0.0-alpha.4

v5.0.0-alpha.5

v5.0.0-alpha.6

v5.0.0-alpha.7

v5.0.0-rc.0

v5.0.0-rc.1

v5.0.0-rc.2

v5.0.0-rc.3

v5.0.0-rc.4

v5.0.0-rc.5

v5.0.1

v5.0.2

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.10.0

v5.10.0-0

v5.10.1

v5.10.2

v5.10.3

v5.10.4

v5.11.0

v5.11.1

v5.12.0

v5.13.0

v5.13.1

v5.13.2

v5.13.3

v5.13.4

v5.13.5

v5.13.6

v5.13.7

v5.14.0

v5.14.1

v5.14.2

v5.14.3

v5.15.0

v5.15.1

v5.15.2

v5.15.3

v5.16.0

v5.16.0-0

v5.16.0-1

v5.16.0-2

v5.16.1

v5.17.0

v5.17.1

v5.17.2

v5.17.3

v5.18.0

v5.18.1

v5.2.0

v5.2.0-0

v5.2.1

v5.2.2

v5.2.3

v5.2.4

v5.2.5

v5.2.6

v5.2.8

v5.2.9

v5.3.0

v5.4.0

v5.4.1

v5.4.10

v5.4.11

v5.4.12

v5.4.2

v5.4.3

v5.4.4

v5.4.5

v5.4.6

v5.4.7

v5.4.8

v5.4.9

v5.5.0

v5.5.1

v5.5.10

v5.5.11

v5.5.12

v5.5.13

v5.5.2

v5.5.3

v5.5.4

v5.5.5

v5.5.6

v5.5.7

v5.5.8

v5.5.9

v5.6.0

v5.6.0-0

v5.6.1

v5.7.0

v5.7.0-0

v5.8.0

v5.8.0-0

v5.9.0

v5.9.0-0

v5.9.0-1

v5.9.0-2

v5.9.2

v5.9.3

v6.*

v6.0.0

v6.0.0-alpha.3

v6.0.0-alpha.4

v6.0.0-alpha.5

v6.0.0-alpha.6

v6.0.0-beta.0

v6.0.0-beta.1

v6.0.0-rc.0

v6.0.0-rc.1

v6.0.1

v6.0.2

v6.1.0

v6.10.0

v6.10.0-0

v6.10.0-1

v6.10.1

v6.10.2

v6.11.0

v6.11.0-0

v6.11.1

v6.11.2

v6.11.5

v6.12.0

v6.12.0-0

v6.12.0-1

v6.12.0-2

v6.12.1

v6.13.0

v6.13.0-0

v6.14.0

v6.14.0-0

v6.14.0-3

v6.14.1

v6.14.2

v6.14.3

v6.14.4

v6.14.4-0

v6.14.4-1

v6.14.5

v6.14.6

v6.14.7

v6.15.0

v6.15.1

v6.15.2

v6.16.0

v6.16.1

v6.17.0

v6.17.1

v6.17.2

v6.18.0

v6.19.0

v6.19.1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.20.0

v6.20.1

v6.20.2

v6.20.3

v6.20.4

v6.21.0

v6.21.1

v6.22.0

v6.22.1

v6.22.2

v6.23.0

v6.23.1

v6.23.2

v6.23.3

v6.23.4

v6.23.5

v6.23.6

v6.24.0

v6.24.0-0

v6.24.0-1

v6.24.1

v6.24.2

v6.24.3

v6.24.4

v6.25.0

v6.25.0-0

v6.25.0-1

v6.25.0-2

v6.25.0-3

v6.25.1

v6.26.0

v6.26.1

v6.27.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.6.1

v6.6.2

v6.7.0

v6.7.1

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.8.0

v6.9.0

v6.9.1

v7.*

v7.0.0

v7.0.0-alpha.0

v7.0.0-alpha.1

v7.0.0-alpha.2

v7.0.0-alpha.3

v7.0.0-alpha.4

v7.0.0-beta.0

v7.0.0-beta.1

v7.0.0-beta.2

v7.0.0-rc.0

v7.0.0-rc.1

v7.0.0-rc.2

v7.0.0-rc.3

v7.0.0-rc.4

v7.0.0-rc.5

v7.0.0-rc.6

v7.0.0-rc.7

v7.0.0-rc.8

v7.0.0-rc.9

v7.0.1

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.10.0

v7.10.0-0

v7.10.0-1

v7.11.0

v7.11.1-0

v7.12.0

v7.12.0-0

v7.12.1

v7.12.2

v7.13.0

v7.13.1

v7.13.2

v7.13.3

v7.13.4

v7.13.5

v7.13.6

v7.14.0

v7.14.1

v7.14.2

v7.15.0

v7.16.0

v7.16.1

v7.17.0

v7.17.1

v7.18.0

v7.18.1

v7.18.2

v7.19.0

v7.2.0

v7.2.1

v7.20.0

v7.21.0

v7.22.0

v7.23.0

v7.24.0

v7.24.1

v7.24.2

v7.24.3

v7.25.0

v7.25.1

v7.26.0

v7.26.1

v7.26.2

v7.26.3

v7.27.0

v7.27.0-0

v7.27.1

v7.28.0

v7.28.0-0

v7.29.0

v7.29.0-0

v7.29.0-1

v7.29.0-2

v7.29.1

v7.29.2

v7.29.3

v7.3.0

v7.30.0

v7.30.0-0

v7.4.0

v7.4.0-0

v7.4.0-1

v7.4.0-2

v7.4.0-3

v7.4.0-4

v7.4.1

v7.5.0

v7.5.1

v7.5.2

v7.6.0

v7.6.0-0

v7.7.0

v7.7.0-0

v7.7.0-1

v7.7.1

v7.8.0

v7.9.0

v7.9.0-0

v7.9.1

v7.9.2

v7.9.3

v7.9.4

v7.9.4-0

v7.9.5

v8.*

v8.0.0

v8.0.0-beta.1

v8.0.0-rc.0

v8.0.0-rc.1

v8.1.0

v8.1.1

v8.10.0

v8.10.0-0

v8.10.1

v8.10.2

v8.10.3

v8.10.4

v8.10.5

v8.11.0

v8.12.0

v8.12.1

v8.13.1

v8.14.0

v8.2.0

v8.3.0

v8.3.0-0

v8.3.1

v8.4.0

v8.5.0

v8.5.1

v8.6.0

v8.6.1

v8.6.10

v8.6.11

v8.6.12

v8.6.2

v8.6.3

v8.6.4

v8.6.5

v8.6.6

v8.6.7

v8.6.8

v8.6.9

v8.7.0

v8.7.0-0

v8.7.1

v8.7.2

v8.7.3

v8.7.4

v8.7.5

v8.7.6

v8.8.0

v8.9.0

v8.9.0-0

v8.9.0-1

v8.9.1

v8.9.2

v9.*

v9.0.0

v9.0.0-alpha.0

v9.0.0-alpha.1

v9.0.0-alpha.10

v9.0.0-alpha.2

v9.0.0-alpha.3

v9.0.0-alpha.4

v9.0.0-alpha.5

v9.0.0-alpha.6

v9.0.0-alpha.7

v9.0.0-alpha.8

v9.0.0-alpha.9

v9.0.0-beta.0

v9.0.0-beta.1

v9.0.0-beta.2

v9.0.0-beta.3

v9.0.0-rc.0

v9.0.0-rc.1

v9.0.0-rc.2

v9.0.1

v9.0.2

v9.0.3

v9.0.4

v9.0.5

v9.0.6

v9.1.0

v9.1.0-0

v9.1.1

v9.1.2

v9.1.3

v9.1.4

v9.10.0

v9.11.0

v9.12.0

v9.12.1

v9.12.2

v9.12.3

v9.2.0

v9.3.0

v9.4.0

v9.5.0

v9.5.0-beta.0

v9.5.0-beta.1

v9.5.0-beta.2

v9.5.0-beta.3

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69263.json"